Page tree
Skip to end of metadata
Go to start of metadata

Data transfer

BMC TrueSight Capacity Optimization can securely transfer data between internal components and from BMC TrueSight Capacity Optimization components to external components.

Traffic

When encrypted

Browser to AS

When HTTPS option is chosen

AS to DB

When transport layer security is chosen

ETL to data source

Where the data source supports secure transfers

ETL to Data hub (control)

When HTTPS option is chosen

ETL to Data hub (data)

When HTTPS option is chosen

SMTP send for email

When SMTP is configured over TLS

LDAP connection for authentication

When LDAP is configured for encryption

The ETL Engine Server and the Data Hub on the Application Server, which communicate with each other over REST APIs, by default use basic authentication to identify themselves. This traffic can optionally be encrypted by configuring them to use HTTPS as mentioned in the above table.

For information about the secure protocols BMC TrueSight Capacity Optimization uses for data transfer, see Communication ports and protocols.

User authentication and authorization

  • Users assigned an administrator role can configure user authentication and role-based access control from the BMC TrueSight Capacity Optimization Console.
    See Roles for detailed information.
  • BMC TrueSight Capacity Optimization supports integration with BMC Atrium Single Sign-On (SSO), which enables users to present credentials once for seamless access to all BMC products integrated into the system.
    See BMC TrueSight Operations Management for detailed information.
  • User authorization is defined by access control policies that allow granular control over functions and data access for BMC TrueSight Capacity Optimization users.
    See Users for detailed information.

User credentials

The following types of credentials are stored in an encrypted form:

  • BMC TrueSight Capacity Optimization user credentials
  • All credentials used by connectors (for example, to access data sources such as databases), which are saved in the BMC TrueSight Capacity Optimization database configuration tables
  • SMTP email credentials

For credentials used by connectors, these are extracted by the ETL Engine server from the database in encrypted form. If the ETL Engine is configured as a "remote" ETL Engine, then these credentials are extracted by the Data Hub and transferred to the ETL Engine in encrypted form. Thus, in either case, these keys are never transferred in plaintext.

The encryption and decryption keys are pre-configured in all BMC TrueSight Capacity Optimization ETL Engine servers. These keys are not visible to the administrator.

User Credentials for ETL modules

The ETL Engine uses a new version of the Java runtime, JRE 1.8 and can connect securely to external data sources such as VMware vCenter. This version of JRE requires high security connections and disables RSA keys less than 1024 bits. However, if you have data sources (e.g., vCenter) that still have an SSL key which do not respect this security constraint, old SSL keys may have been created with a  key < 1024 bits.

In this case, the BMC TrueSight Capacity Optimization connector running in the ETL Engine will not be able to create a secure connection and will fail. The correct way to fix this error is to change the SSL key of the data source. You will need to refer to the documentation of the data source in your setup for details.

As a workaround (not recommended) the BMC TrueSight Capacity Optimization administrator can follow the steps given below to lower the security policy of the ETL Engine’s JRE.

  1. Navigate to the file jre/lib/security/java.security
  2. Replace
        jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

    with
        jdk.certpath.disabledAlgorithms=MD2
  3. Save the file

Example for vCenter Extractor Service - An error code (BCO_ETL_FAIL113) is displayed when the ETL is unable to connect to the vCenter because the server certificate does not conform to expected JVM security constraints. Change the vCenter SSL key to use a self-signed certificate. For more information, refer to the VMware documentation.

If it is not possible for the BMC TrueSight Capacity administrator to change the SSL certificate of the vCenter, use the general workaround described above.

Auditing

Important actions are audited in an audit log for the administrator to view. For example, user logins, executions of background tasks, and so on. For more information about the auditing feature, see Auditing.

Web access security

BMC TrueSight Capacity Optimization is designed to be used in an enterprise network, not on the public Internet. Web access vulnerabilities are mitigated by the following steps:

  • Cookies: Only session cookies are used; no persistent cookies are left on browser machines.
  • Hidden fields: These are used for user data submission, but not for storing data.

Where to go from here

Communication ports and protocols

Related topics

Users

LDAP