Important This version of the product has reached end of support. The documentation is available for your convenience. However, you must be logged in to access it. You will not be able to leave comments.

Configuring enhanced security

TrueSight Network Automation is Federal Information Processing Standard (FIPS) Publication 140-2 compliant. TrueSight Network Automation uses the RSA JSafeJCE security provider for FIPS-compliance. This topic includes the following sections:

FIPS 140-2 support

The following topics describe the details of the FIPS 140-2 implementation:

Note

You can find links to the FIPS 140-2 documents on the FIPS Publications page on the National Institute of Standards and Technology (NIST) website:

http://csrc.nist.gov/publications/PubsFIPS.html.

Cipher suites used in the Tomcat server

TrueSight Network Automation works in FIPS mode, and supports the TLSv1.2 handshaking protocol and the SHA-256 cipher suites. You can configure these cipher suites in the catalina.properties file. Some of the Internet browsers approved for use with TrueSight Network Automation, such as Mozilla FireFox and some versions of Microsoft Internet Explorer, do not yet support TLSv1.2. To ensure that these browsers can still access the TrueSight Network Automation application server, the following SHA cipher suites are still provided at the lower order:

Cipher suites used in 8.9.02.002
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:
ECDHE-ECDSA-AES256-SHA384:DH-DSS-AES256-GCM-SHA384:
DH-RSA-AES256-GCM-SHA384:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:
ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:
ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:
DH-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:
DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:
ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:
AES128-GCM-SHA256:AES128-SHA256
Cipher suites used in 8.9.01, 8.9.02, and 8.9.02.001
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:
ECDHE-ECDSA-AES256-SHA384:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:
DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:
DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:
ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:
ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:
DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:
DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:
DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:
ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:
AES128-GCM-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Cipher suites used in version 8.9.00
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_NULL_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

Back to top

To configure catalina.properties in restricted environments

If your environment requires more restricted security, as would be the case for federal customers, perform the following steps.

  1. Open the BCAN_HOME/tomcat/conf/catalina.properties file in a text editor.
  2. Find the bna.connector.ciphers property in the file.

  3. Delete the following set of cipher suites from the bna.connector.ciphers property value in the BCAN_HOME/tomcat/conf/catalina.properties file:

    Cipher suites to be deleted in 8.9.02.002
    AES128-SHA256
    Cipher suites to be deleted in 8.9.01, 8.9.02, and 8.9.02.001
    AES128-SHA256:AES256-SHA:AES128-SHA:
    DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:
    DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:
    DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:
    DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256
    Cipher suites to be deleted in version 8.9.00
    TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  4. Save the file and exit the text editor.
  5. Restart the web server service.

Back to top

Password handling

TrueSight Network Automation stores log on passwords in the database using the SHA-256 message digest algorithm, which is non-reversible, when local authentication is being used.

TrueSight Network Automation stores all other passwords (such as device security profile passwords, device agent passwords, or job or predefined job runtime parameters declared as passwords) in the database using the following FIPS-compliant algorithms, which are reversible:

  • (Versions 8.9.02 and earlier) PBEWithHmacSHA1AndDESede 
  • (Versions 8.9.03 and later) PBKDF2withHmacSHA512 (key creation) and AES256 (encryption)

If a password is used during device interaction, such as FTP password, and the transcript shows it as HIDDEN, it is also stored that way in the database.

Back to top

Application server and device agent communication

For communication between the TrueSight Network Automation application server and the TrueSight Network Automation local and remote device agents, TrueSight Network Automation uses the TLSv1.2 handshaking protocol and the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite.

SSH proxy

TrueSight Network Automation supports the use of FIPS-compliant encryption algorithms for the SSH proxy connection. TrueSight Network Automation no longer supports the hashing function, for example, the hmac-md5 encryption algorithms. 

For versions 8.9.02 and later, the following encryption algorithms are supported for communication between an SSH client and TrueSight Network Automation SSH proxy server:

Cryptography aspect

Algorithm/Key length used

Key exchange algorithms

(Version 8.9.04) diffie-hellman-group-exchange-sha256,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

(Version 8.9.03) diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

(Version 8.9.02) diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384

Host key algorithms

(Version 8.9.04) ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384

(Version 8.9.03) ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384

(Version 8.9.02) ssh-rsa, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384

Encryption algorithms (ciphers)

(Version 8.9.04) aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

(Version 8.9.03) aes128-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes192-ctr,aes256-ctr

(Version 8.9.02) aes128-ctr, 3des-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes192-ctr, aes256-ctr

Message authentication code algorithms

(Version 8.9.04) hmac-sha256,hmac-sha2-256,hmac-sha256@ssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha512,hmac-sha2-512,hmac-sha512@ssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1,hmac-sha1-etm@openssh.com

(Version 8.9.03) hmac-sha256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha256@ssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha512,hmac-sha2-512,hmac-sha512@ssh.com,hmac-sha2-512-etm@openssh.com

(Version 8.9.02) hmac-sha256, hmac-sha1, hmac-sha1-etm@openssh.com, hmac-sha2-256, hmac-sha256@ssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha512, hmac-sha2-512, hmac-sha512@ssh.com, hmac-sha2-512-etm@openssh.com

SNMP v3 Server configuration

The MD5 authentication algorithm and DES privileged algorithm have been removed from the configuration options for Simple Network Messaging Protocol version 3 (SNMP v3) servers. When upgrading to version 8.7.00, existing configurations that used the MD5 authentication algorithm and/or the DES privileged algorithm are updated to use the SHA authentication algorithm and/or the AES privileged algorithm, respectively. See Adding-or-editing-an-SNMP-manager-station.

Back to top

Agent and device communication over SSH

For communication between the agent and devices, TrueSight Network Automation establishes an SSH connection with the device. TrueSight Network Automation uses only FIPS-compliant algorithms for SSH connections with devices.

You must set <enableFIPSModeForSsh> to true for a device adapter when using SSH to connect to the device that is using FIPS algorithms. For information about the <enableFIPSModeForSsh> tag, see Device-type-header-XML-element-reference

Note

  • Encryption algorithms cannot be configured in TrueSight Network Automation. However, these can be configured on the network device.
  • Due to use of updated cryptography libraries in this version of TrueSight Network Automation, the two-key Triple-DES algorithm is not supported beyond 2015. The three-key Triple-DES algorithm is supported beyond 2013. Due to deprecated two-key Triple-DES algorithm, you might be unable to make SSH connections to a few network devices. Consider upgrading your device firmware or configure your devices to use compatible ciphers.

The following table lists the various algorithms that are used for handshaking between the TrueSight Network Automation agent (client) and the device (server):

Cryptography aspect

Algorithm/Key length used for Client Key exchange initiation

Key exchange algorithms

(Version 8.9.04) diffie-hellman-group-exchange-sha256,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

(Version 8.9.03) diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1

(Version 8.9.02) diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1

Note: In version 8.9.02, diffie-hellman-group1-sha1 is available only when the FIPS mode is set to false because this algorithm is weak and vulnerable to the LOGJAM security vulnerability.

(Version 8.9.01) diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1

(Version 8.9.00) diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

Host key algorithms

(Version 8.9.04) ssh-dss,ssh-rsa,x509v3-sign-rsa,x509v3-sign-dss,x509v3-sign-rsa-sha1,x509v3-ssh-rsa,x509v3-ssh-dss,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-rsa2048-sha256,ssh-ed25519,ecdsa-sha2-nistp256

(Version 8.9.03) ssh-dss,ssh-rsa,x509v3-sign-rsa,x509v3-sign-dss,x509v3-sign-rsa-sha1,x509v3-ssh-rsa,x509v3-ssh-dss,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-rsa2048-sha256,ecdsa-sha2-nistp256

(Version 8.9.02) ssh-dss,ssh-rsa,x509v3-sign-rsa,x509v3-sign-dss,x509v3-sign-rsa-sha1,x509v3-ssh-rsa,x509v3-ssh-dss,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-rsa2048-sha256,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256

(Version 8.9.01) ecdsa-sha2-nistp256,ssh-dss,ssh-rsa,x509v3-sign-rsa,x509v3-sign-dss,x509v3-sign-rsa-sha1,x509v3-ssh-rsa,x509v3-ssh-dss,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-rsa2048-sha256

(Version 8.9.00) ssh-dss,ssh-rsa,x509v3-sign-rsa,x509v3-sign-dss,x509v3-sign-rsa-sha1,x509v3-ssh-rsa,x509v3-ssh-dss,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2nistp384,x509v3-ecdsa-sha2nistp521,ecdsa-sha2-nis

Encryption algorithms (ciphers)

(Version 8.9.04) aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc

(Version 8.9.03) aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc

(Version 8.9.02) aes128-ctr,3des-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes192-ctr,aes256-ctr,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc

(Version 8.9.01) aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc

(Version 8.9.00) aes128-ctr,aes128-cbc,3des-ctr,aes192-ctr,aes256-ctr,3des-cbc,aes192-cbc,aes256-cbc

Message authentication code algorithms

(Version 8.9.04) hmac-sha2-256,hmac-sha256,hmac-sha512,hmac-sha2-512,hmac-sha1

(Version 8.9.03) hmac-sha2-256,hmac-sha1,hmac-sha256,hmac-sha512,hmac-sha2-512

(Version 8.9.02) hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha256,hmac-sha256@ssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha512,hmac-sha2-512,hmac-sha512@ssh.com,hmac-sha2-512-etm@openssh.com

(Version 8.9.01) hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha1-96,hmac-sha256,hmac-sha256@ssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-256-96,hmac-sha512,hmac-sha2-512,hmac-sha512@ssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-512-96

(Version 8.9.00) hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-sha256,hmac-sha256@ssh.com,hmac-sha2-256-96,hmac-sha512,hmac-sha2-512,hmac-sha512@ssh.com,hmac-sha2-512-96

Back to top

Handling CVE-2014-3566 (Poodlebleed)

To resolve the Poodlebleed issue, TrueSight Network Automation supports the newer SSL versions (TLS 1.0, 1.1, and 1.2) and blocks the SSL 3.0 protocol by default in all the HTTPS connections.

Browser – TrueSight Network Automation server communication

TrueSight Network Automation uses the Apache Tomcat web server. In the catalina.properties file, bna.connector.sslEnabledProtocols is set to TLSv1,TLSv1.1,TLSv1.2 (versions 8.9.02 and earlier) and TLSv1.2 (version 8.9.03) by default.

BMC does not recommend that you change the default protocols. However, if you choose to modify these at your own risk, perform the following steps:

  1. Stop the TrueSight Network Automation services.
  2. In the catalina.properties file located in the <BCAN_HOME>\tomcat\conf directory, modify the existing value for bna.connector.sslEnabledProtocols based on your requirement.
  3. Start the TrueSight Network Automation services.

Back to top

TrueSight Network Automation agent and network device communication

TrueSight Network Automation allows HTTPS communication with certain devices. In the global.properties.imported file, httpsEncryptionProtocols is set to TLSv1,TLSv1.1,TLSv1.2 by default.

BMC does not recommend that you change the default protocols. However, if you choose to modify these at your own risk, perform the following steps:

  1. Stop the TrueSight Network Automation services.
  2. In the global.properties.imported file located in the <BCAN_DATA> directory, modify the existing value for httpsEncryptionProtocols based on your requirement.
  3. Start the TrueSight Network Automation services.

Back to top

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*