Configuring enhanced security
TrueSight Network Automation is Federal Information Processing Standard (FIPS) Publication 140-2 compliant. Network Automation uses the RSA JSafeJCE security provider for FIPS-compliance. This topic includes the following sections:
- FIPS 140-2 support
- Agent and device communication over SSH
- Handling CVE-2014-3566 (Poodlebleed)
- No support for XInclude
FIPS 140-2 support
The following topics describe the details of the FIPS 140-2 implementation:
- Cipher suites used in the Tomcat server
- To configure catalina.properties in restricted environments
- Password handling
- Application server and device agent communication
- SSH proxy
- top
Cipher suites used in the Tomcat server
Network Automation works in FIPS mode, and supports the TLSv1.2 handshaking protocol and the SHA-256 cipher suites. You can configure these cipher suites in the catalina.properties file. Some of the Internet browsers approved for use with Network Automation, such as Mozilla FireFox, do not yet support TLSv1.2. To ensure that these browsers can still access the Network Automation application server, the following SHA cipher suites are still provided at the lower order:
ECDHE-ECDSA-AES256-SHA384:DH-DSS-AES256-GCM-SHA384:
DH-RSA-AES256-GCM-SHA384:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:
ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:
ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:
DH-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:
DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:
ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:
AES128-GCM-SHA256:AES128-SHA256
To configure catalina.properties in restricted environments
If your environment requires more restricted security, as would be the case for federal customers, perform the following steps.
- Open the BCAN_HOME/tomcat/conf/catalina.properties file in a text editor.
- Find the bna.connector.ciphers property in the file.
Delete the following set of cipher suites from the bna.connector.ciphers property value in the BCAN_HOME/tomcat/conf/catalina.properties file:
Cipher suite to be deletedAES128-SHA256- Save the file and exit the text editor.
- Restart the web server service.
Password handling
Network Automation stores log on passwords in the database using the PBKDF2WithHmacSHA256 algorithm, which is non-reversible, when local authentication is being used.
Network Automation stores all other passwords (such as device security profile passwords, device agent passwords, or job or predefined job runtime parameters declared as passwords) in the database using the following FIPS-compliant algorithms, which are reversible:
- AES-256 (key creation)
- AES-GCM (encryption)
If a password is used during device interaction, such as FTP password, and the transcript shows it as HIDDEN, it is also stored that way in the database.
Application server and device agent communication
For communication between the Network Automation application server and the Network Automation local and remote device agents, Network Automation uses the TLSv1.2 handshaking protocol and the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite.
SSH proxy
Network Automation supports the use of FIPS-compliant encryption algorithms for the SSH proxy connection. Network Automation no longer supports the hashing function, for example, the hmac-md5 encryption algorithms.
The following encryption algorithms are supported for communication between an SSH client and Network Automation SSH proxy server:
Cryptography aspect | Algorithm/Key length used |
|---|---|
Key exchange algorithms | diffie-hellman-group-exchange-sha256,curve25519-sha256,rsa2048-sha256,curve25519-sha256@libssh.org,rsa1024-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256 |
Host key algorithms | rsa-sha2-512,ssh-rsa,rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384 |
Encryption algorithms (ciphers) | aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr |
Message authentication code algorithms | hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1-etm@openssh.com,hmac-sha1 |
top
Agent and device communication over SSH
For communication between the agent and devices, Network Automation establishes an SSH connection with the device. Network Automation uses only FIPS-compliant algorithms for SSH connections with devices.
You must set <enableFIPSModeForSsh> to true for a device adapter when using SSH to connect to the device that is using FIPS algorithms. For information about the <enableFIPSModeForSsh> tag, see Device-type-header-XML-element-reference.
The following table lists the various algorithms that are used for handshaking between the Network Automation agent (client) and the device (server):
Cryptography aspect | Algorithm/Key length used for Client Key exchange initiation |
|---|---|
Key exchange algorithms | curve25519-sha256,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256,rsa2048-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,rsa1024-sha1,diffie-hellman-group-exchange-sha1 |
Host key algorithms | ssh-rsa,rsa-sha2-512,rsa-sha2-256,x509v3-rsa2048-sha256,x509v3-ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp256,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,x509v3-ssh-rsa,x509v3-sign-rsa-sha1,x509v3-sign-rsa,x509v3-ssh-dss,ssh-dss,x509v3-sign-dss |
Encryption algorithms (ciphers) | aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc |
Message authentication code algorithms | hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1 |
Handling CVE-2014-3566 (Poodlebleed)
To resolve the Poodlebleed issue, Network Automation supports the newer SSL versions (TLS 1.0, 1.1, and 1.2) and blocks the SSL 3.0 protocol by default in all the HTTPS connections.
Browser – TrueSight Network Automation server communication
Network Automation uses the Apache Tomcat web server. In the catalina.properties file, bna.connector.sslEnabledProtocols is set to TLSv1.2 by default.
BMC does not recommend that you change the default protocols. However, if you choose to modify these at your own risk, perform the following steps:
- Stop the Network Automation services.
- In the catalina.properties file located in the <BCAN_HOME>\tomcat\conf directory, modify the existing value for bna.connector.sslEnabledProtocols based on your requirement.
- Start the Network Automation services.
TrueSight Network Automation agent and network device communication
Network Automation allows HTTPS communication with certain devices. In the global.properties.imported file, httpsEncryptionProtocols is set to TLSv1,TLSv1.1,TLSv1.2 by default.
BMC does not recommend that you change the default protocols. However, if you choose to modify these at your own risk, perform the following steps:
- Stop the Network Automation services.
- In the global.properties.imported file located in the <BCAN_DATA> directory, modify the existing value for httpsEncryptionProtocols based on your requirement.
- Start the Network Automation services.
No support for XInclude
Starting from version 20.02.01, Network Automation does not support the XML's XInclude mechanism, which allows merger of XML documents, by writing inclusion tags in the main XML document to automatically include other documents or parts thereof.