Page tree
    Skip to end of metadata
    Go to start of metadata

    The PATROL Agent data was secured using AES 128 or 256-bit static encryption mechanism. Starting from TrueSight Operations Management 10.7 release, you can enhance the PATROL data security by encrypting it with customized installation specific keys exchanged through the key exchange process between the TrueSight Presentation Server and the PATROL Agent. The PATROL Agent data that can be secured through this exchanged key encryption are:

    • Infrastructure Management policy data credentials, and the PATROL Agent query command credentials that are sent to the PATROL Agent.
    • Policy data credentials stored in the policy store of the TrueSight Presentation Server.

    By default, during the TrueSight Presentation Server installation a unique key is generated that is used to encrypt the PATROL Agent data credentials. This key is shared with the PATROL Agent when a PATROL Agent 10.7 connects to the Presentation Server. The same key is shared with all the PATROL Agents connected to this Presentation Server. The PATROL Agent uses this unique key to decrypt the data received from the TrueSight Presentation Server. 

    Post the TrueSight Presentation Server installation, you can change this key using the Presentation Server tssh command. 

    The following table explains the compatibility of dynamic encryption key functionality for different versions of the PATROL Agent, TrueSight Presentation Server, and TrueSight Infrastructure Management.

    PATROL Agent

    TrueSight Infrastructure ManagementTrueSight Presentation ServerDynamic encryption supported
    10.710.7      10.7Yes
    < 10.710.710.7

    No.

    The previous functionality (static encryption) will continue to work.

    10.710.7          < 10.7

    No.

    The previous functionality (static encryption) will continue to work.

    10.7< 10.7          10.7

    Partially.

    PATROL Agent policy credentials are encrypted using dynamic encryption, but Infrastructure Management Agent Query command credentials are encrypted using static encryption mechanism.

     

    The following process flow diagrams explain the key exchange process between the Presentation Server and the PATROL Agent.

    Key exchange process in the Presentation Server

    The following section explains the sequence of steps in the Presentation Server.

    • The PATROL Agent sends a public key to the Presentation Server as part of the agent registration process.
    • Presentation Server uses a pre-generated unique key to encrypt the PATROL Agent data.
    • This unique key is also encrypted using the public key received from the PATROL Agent.
    • The encrypted data, and encrypted unique key is sent to the PATROL Agent.

    Key exchange process in the PATROL Agent

    The following section explains the sequence of steps in the PATROL Agent.

    • PATROL Agent decrypts the encrypted unique key using its private key.

      Note: This unique key was encrypted in the Presentation Server using the PATROL Agent's public key and then sent to the PATROL Agent.

    • This unique key is used to decrypt the PATROL Agent data received from the Presentation Server.

     

    You can change the unique key post the installation of the TrueSight Presentation Server using a CLI command in the Presentation Server. For more information, see  Changing the encryption key to secure PATROL Agent data