BMC Defender Apache TLS adapter (deprecated)

(Deprecated with version 6.0.02)

This section provides information about enhancing internal security of BMC Defender Server by implementing TLS for your web interface and implementing secure encryption of message communication between BMC Defender Server and its agent programs.

The Apache TLS adapter adds the extra internal security for data processing that is needed for sites that require verifiable and published cryptographic algorithms. These sites include government installations that are constrained to follow FIPS regulations, sites that require PCI and DSS certification, and sites that transmit information over the public internet.

Before installing the Enhanced Encryption software, review this section to determine whether your site needs TLS and message encryption. BMC Defender Server contains a number of security and encryption features without the Apache TLS adapter. These core security features include data encryption using a secure (but non-published) encryption algorithm and various methods of authenticating users.

The OpenSSL module, that provides the encryption services for the Apache TLS server, is highly versatile. The openssl.exe program, provided as a standard BMC Defender component within the apache-tls\bin folder, furnishes a powerful command line interface and command options that can be used to encrypt and decrypt files and create certificates. For more information, see the OpenSSL website.

Adapter availability

BMC Defender Apache TLS adapter is an add-on to the BMC Defender Server and BMC AMI Command Center for Security distributions. The adapter is available only to BMC Defender licensees.

The adapter adds a new Apache server to the system that provides support for HTTPS using various TLS cipher suites. It also enables encrypted transfers between BMC Defender Agents and the main BMC Defender Server site, and other security functions described in this section.

You can follow the instructions in Installing BMC Defender Apache TLS adapter to install the Enhanced Encryption Software package. Configuring Agent Crypto provides detailed information on how to configure message encryption using a secure upload protocol. Configuring BMC Defender Apache TLS adapter provides additional information on how to configure the Apache TLS functions.

Standard BMC Defender Server security features

You can use the following basic data protection and secure processing features of the BMC Defender Server system without installing the BMC Defender Apache TLS adapter:

• Authentication of users—The basic BMC Defender Server software uses message digests to authenticate users. Only users registered on the system can access or view BMC Defender Server data.
• Role based user permissions—The basic BMC Defender Server software allows users to assign to the guest, user, and admin roles to govern what data a user can view or modify on the system.
• Encryption of data—The basic BMC Defender Server software encrypts passwords and other data on the disk using a robust (but unpublished) encryption algorithm. Additionally, BMC Defender Agent can send data to the main BMC Defender Server console in an encrypted form.
• Authentication during remote configuration—The basic remote configuration function of BMC Defender Agents incorporates authentication by means of an encrypted passkey and by source address, preventing the unauthorized reconfiguration of agents.
• Secure TCP tunneling software—The basic BMC Defender Server software system includes TCP tunneling software that encrypts data transfers, and also permits access to remote locations through a single TCP port.

This section provides information about the following topics:

• BMC Defender Apache TLS adapter security features
• Security certificates
• Installing BMC Defender Apache TLS adapter
• Configuring BMC Defender Apache TLS adapter
• Configuring Agent Crypto