Configuring enhanced security

The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. is Federal Information Processing Standard (FIPS) Publication 140-2 compliant. The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. uses the RSA JSafeJCE security provider for FIPS-compliance. This topic includes the following sections:

FIPS 140-2 support
Agent and device communication over SSH
No support for XInclude

FIPS 140-2 support

The following topics describe the details of the FIPS 140-2 implementation:

Cipher suites used in the Tomcat server
Password handling
Application server and device agent communication
SSH proxy
top

Note

You can find links to the FIPS 140-2 documents on the FIPS Publications page on the National Institute of Standards and Technology (NIST) website:

http://csrc.nist.gov/publications/PubsFIPS.html.

Cipher suites used in the Tomcat server

The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. works in FIPS mode, and supports the TLSv1.2 and TLSv1.3 handshaking protocol and the SHA-256 cipher suites. You can configure these cipher suites in the catalina.properties file. The following SHA cipher suites are still provided at the lower order:

Cipher suites

TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305

top

Password handling

The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. stores log on passwords in the database using the PBKDF2WithHmacSHA256 algorithm, which is non-reversible, when local authentication is being used.

The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. stores all other passwords (such as device security profile passwords, device agent passwords, or job or predefined job runtime parameters declared as passwords) in the database using the following FIPS-compliant algorithms, which are reversible:

AES-256 (key creation)
AES-GCM (encryption)

If a password is used during device interaction, such as FTP password, and the transcript shows it as HIDDEN, it is also stored that way in the database.

top

Application server and device agent communication

For communication between the The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. application server and the The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. local and remote device agents, The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. uses the TLSv1.2 handshaking protocol and the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite.

SSH proxy

The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. supports the use of FIPS-compliant encryption algorithms for the SSH proxy connection. The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. no longer supports the hashing function, for example, the hmac-md5 encryption algorithms.

The following encryption algorithms are supported for communication between an SSH client and The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. SSH proxy server:

Cryptography aspect	Algorithm/Key length used
Key exchange algorithms	diffie-hellman-group-exchange-sha256 curve25519-sha256 rsa2048-sha256 curve25519-sha256@libssh.org rsa1024-sha1 diffie-hellman-group18-sha512 diffie-hellman-group17-sha512 diffie-hellman-group16-sha512 diffie-hellman-group15-sha512 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1 ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256
Host key algorithms	rsa-sha2-512 ssh-rsa rsa-sha2-256 ecdsa-sha2-nistp256 ecdsa-sha2-nistp521 ecdsa-sha2-nistp384 ed25519
Encryption algorithms (ciphers)	aes128-ctr aes256-gcm@openssh.com aes128-gcm@openssh.com chacha20-poly1305@openssh.com aes256-ctr,aes192-ctr
Message authentication code algorithms	hmac-sha2-512 hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-256 hmac-sha1-etm@openssh.com hmac-sha1

top

Agent and device communication over SSH

For communication between the agent and devices, The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. establishes an SSH connection with the device. The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. uses only FIPS-compliant algorithms for SSH connections with devices.

You must set <enableFIPSModeForSsh> to true for a device adapter when using SSH to connect to the device that is using FIPS algorithms. For information about the <enableFIPSModeForSsh> tag, see Device-type-header-XML-element-reference.

Note

Encryption algorithms cannot be configured in The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found.. However, these can be configured on the network device.
Network Automation does not support weaker algorithms. Due to this change, you might be unable to make SSH connections to
a few network devices. Consider upgrading your device firmware or configure your devices to use compatible ciphers. Refer to the table below for the supported algorithms.

The following table lists the various algorithms that are used for handshaking between the The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. agent (client) and the device (server):

Cryptography aspect	Algorithm/Key length used for Client Key exchange initiation
Key exchange algorithms	curve25519-sha256 diffie-hellman-group18-sha512 diffie-hellman-group17-sha512 diffie-hellman-group16-sha512 diffie-hellman-group15-sha512 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group-exchange-sha256 rsa2048-sha256 ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 rsa1024-sha1 diffie-hellman-group-exchange-sha1
Host key algorithms	ssh-rsa rsa-sha2-512 rsa-sha2-256 x509v3-rsa2048-sha256 x509v3-ecdsa-sha2-nistp521 x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp256 ecdsa-sha2-nistp521 ecdsa-sha2-nistp384 ecdsa-sha2-nistp256 x509v3-ssh-rsa x509v3-sign-rsa-sha1 x509v3-sign-rsa x509v3-ssh-dss ssh-dss x509v3-sign-dss ed25519
Encryption algorithms (ciphers)	aes256-gcm@openssh.com aes256-ctr aes192-ctr aes128-ctr aes256-cbc aes192-cbc aes128-cbc
Message authentication code algorithms	hmac-sha2-512-etm@openssh.com hmac-sha2-512 hmac-sha2-256 hmac-sha1

top

TrueSight Network Automation agent and network device communication

The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. allows HTTPS communication with certain devices. In the global.properties.imported file, httpsEncryptionProtocols is set to TLSv1,TLSv1.1,TLSv1.2 by default.

BMC does not recommend that you change the default protocols. However, if you choose to modify these at your own risk, perform the following steps:

Stop the The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. services.
In the global.properties.imported file located in the <BCAN_DATA> directory, modify the existing value for httpsEncryptionProtocols based on your requirement.
Start the The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. services.

No support for XInclude

Starting from version 20.02.01, The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. does not support the XML's XInclude mechanism, which allows merger of XML documents, by writing inclusion tags in the main XML document to automatically include other documents or parts thereof.

top