Configuring enhanced security
TrueSight Network Automation is Federal Information Processing Standard (FIPS) Publication 140-2 compliant. Network Automation uses the RSA JSafeJCE security provider for FIPS-compliance. This topic includes the following sections:
FIPS 140-2 support
The following topics describe the details of the FIPS 140-2 implementation:
- Cipher suites used in the Tomcat server
- Password handling
- Application server and device agent communication
- SSH proxy
- top
Cipher suites used in the Tomcat server
Network Automation works in FIPS mode, and supports the TLSv1.2 and TLSv1.3 handshaking protocol and the SHA-256 cipher suites. You can configure these cipher suites in the catalina.properties file. The following SHA cipher suites are still provided at the lower order:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305
Password handling
Network Automation stores log on passwords in the database using the PBKDF2WithHmacSHA256 algorithm, which is non-reversible, when local authentication is being used.
Network Automation stores all other passwords (such as device security profile passwords, device agent passwords, or job or predefined job runtime parameters declared as passwords) in the database using the following FIPS-compliant algorithms, which are reversible:
- AES-256 (key creation)
- AES-GCM (encryption)
If a password is used during device interaction, such as FTP password, and the transcript shows it as HIDDEN, it is also stored that way in the database.
Application server and device agent communication
For communication between the Network Automation application server and the Network Automation local and remote device agents, Network Automation uses the TLSv1.2 handshaking protocol and the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite.
SSH proxy
Network Automation supports the use of FIPS-compliant encryption algorithms for the SSH proxy connection. Network Automation no longer supports the hashing function, for example, the hmac-md5 encryption algorithms.
The following encryption algorithms are supported for communication between an SSH client and Network Automation SSH proxy server:
Cryptography aspect | Algorithm/Key length used |
|---|---|
Key exchange algorithms | diffie-hellman-group-exchange-sha256,curve25519-sha256,rsa2048-sha256,curve25519-sha256@libssh.org,rsa1024-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256 |
Host key algorithms | rsa-sha2-512,ssh-rsa,rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384 |
Encryption algorithms (ciphers) | aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr |
Message authentication code algorithms | hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1-etm@openssh.com,hmac-sha1 |
top
Agent and device communication over SSH
For communication between the agent and devices, Network Automation establishes an SSH connection with the device. Network Automation uses only FIPS-compliant algorithms for SSH connections with devices.
You must set <enableFIPSModeForSsh> to true for a device adapter when using SSH to connect to the device that is using FIPS algorithms. For information about the <enableFIPSModeForSsh> tag, see Device-type-header-XML-element-reference.
The following table lists the various algorithms that are used for handshaking between the Network Automation agent (client) and the device (server):
Cryptography aspect | Algorithm/Key length used for Client Key exchange initiation |
|---|---|
Key exchange algorithms | curve25519-sha256,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256,rsa2048-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,rsa1024-sha1,diffie-hellman-group-exchange-sha1 |
Host key algorithms | ssh-rsa,rsa-sha2-512,rsa-sha2-256,x509v3-rsa2048-sha256,x509v3-ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp256,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,x509v3-ssh-rsa,x509v3-sign-rsa-sha1,x509v3-sign-rsa,x509v3-ssh-dss,ssh-dss,x509v3-sign-dss |
Encryption algorithms (ciphers) | aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc |
Message authentication code algorithms | hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1 |
TrueSight Network Automation agent and network device communication
Network Automation allows HTTPS communication with certain devices. In the global.properties.imported file, httpsEncryptionProtocols is set to TLSv1,TLSv1.1,TLSv1.2 by default.
BMC does not recommend that you change the default protocols. However, if you choose to modify these at your own risk, perform the following steps:
- Stop the Network Automation services.
- In the global.properties.imported file located in the <BCAN_DATA> directory, modify the existing value for httpsEncryptionProtocols based on your requirement.
- Start the Network Automation services.
No support for XInclude
Starting from version 20.02.01, Network Automation does not support the XML's XInclude mechanism, which allows merger of XML documents, by writing inclusion tags in the main XML document to automatically include other documents or parts thereof.