To view the latest 11.3.x version, see PATROL Agent 11.3.02.

Notification of possible action required by PATROL Agent users

PATROL Agents monitor critical systems, systems that contain sensitive information, and non-critical systems. PATROL Agents send the monitored data to TrueSight Operations Management. Based on the specific monitoring requirement, multiple security levels are applied to secure the communication between the PATROL Agent and TrueSight Operations Management.

To complete the migration of TrueSight Operations Management to use the PATROL security level 3, and TLS 1.2 cryptographic protocol, you must complete the following instructions on the TrueSight Operations Management Integration Services and all the relevant PATROL Agents. Setting up the system in the mentioned sequence minimizes the monitoring downtime.

The instructions in this page are applicable only to to those users whose IT infrastructure requires a TLS 1.2 configuration with the user-issued certificates. You can use these instructions only if you are using PATROL Agent versions 10.7 and later.

Note

PATROL Agent versions 10.7 and later are enhanced to support the dynamic encryption key mechanism. If you have an earlier version of the PATROL Agent, you must upgrade it to version 10.7 or later before applying the procedures mentioned in this topic.


August 28, 2019

Issue number: CVE-2019-8352

Issue

Warning

By default, the PATROL Agent uses a static encryption key for user credentials that are encrypted and sent over the network to manage PATROL Agent services. If an attacker captures the network traffic in clear text, the credentials can be decrypted and misused to execute code or escalate privileges on the network.

Configuring a new Integration Service and PATROL Agent to enable TLS 1.2 and change security level to 3

To minimize the wide range of downtime on the PATROL Agents with TLS 1.2 enabled, BMC strictly recommends that you set up a new Integration Service with PATROL security level 3. In the future, any PATROL Agent that is migrated to use TLS 1.2 and PATROL security level 3 can instantly connect to the newly configured Integration Service (configured with TLS 1.2 and security level 3) reducing the downtime to the same amount of time it takes to restart a PATROL Agent.

To configure a new Integration Service to enable TLS 1.2 and change PATROL security level to 3

  1. Create a custom signed certificate for the Integration Service. This is required by the PATROL security level 3. For details, see Implementing private certificates in the Integration Service.

  2. Prepare the new Integration Service to communicate with the Infrastructure Management by importing the custom signed certificate into the Integration Service keystore. For details, see Implementing private certificates in the Integration Service.

  3. Prepare the new Integration Service to communicate with PATROL Agents. For details, see Implementing private certificates in the Integration Service.

  4. Create a NSS DB certificate store in the Integration Service and import the custom signed certificate into this store. For details, see To create a server NSS DB certificate store and import the CA-signed certificates

  5. Import the Integration Service certificate into the Infrastructure Management server truststore. For details, see Applying Integration Service certificate to the TrueSight Infrastructure Management.

  6. Apply the Integration Service certificate to the TrueSight Operations Management components. For details, see To create a server NSS DB certificate store and import the CA-signed certificates

  7. Change the Integration Service security level to 3. For details, see To change the Integration Service's security level.

  8. Configure the Integration Service to enable TLS 1.2. For details, see To configure the Integration Service to enable TLS 1.2.

To verify the Integration Service is configured successfully in TLS 1.2 mode

  1. Log into the TrueSight console, go to the Configuration > Managed Devices page.
  2. Verify the Integration Service status is showing as connected to the Infrastructure Management server.

To configure PATROL Agents to enable TLS 1.2 and change security level to 3

Note

If you have multiple PATROL Agents running on the same server, perform the following steps once. The changes are automatically applied on all the PATROL Agents running on the same server.


  1. Create a Mozilla NSS DB client certificate store for the PATROL Agent, and import the Integration Service certificate into this client certificate store. For details, see Applying Integration Service certificate to the PATROL Agent.

  2. Change the PATROL Agent PCONFIG key to connect to newly configured Integration Service:
    PCONFIG key : "/AgentSetup/integration/integrationServices" = {REPLACE = "tcp:<ISN-HOST>:<ISN-PORT>"} 

  3. Restart the PATROL Agent. 

    Notes

    • Verify that the PATROL Agent is not connected to the newly configured Integration Service.
    • The errors are printed in the PATROL_HOME/log/PatrolAgent-PAHOST-PAPORT.errs file.

  4. Change the Patrol Agent security level to 3. For details, see To change the PATROL Agent's security level.

  5. Configure the PATROL Agent to enable TLS 1.2. For details, see To configure the PATROL Agent to enable TLS 1.2.

  6. Restart PATROL Agent.
  7. Check the PATROL_HOME/log/PatrolAgent-PAHOST-PAPORT.errs file that there are no errors.

To verify the PATROL Agent is connected to the Integration Service

  1. Log into the TrueSight console, go to the Configuration > Managed Devices page,
  2. Verify that the PATROL Agent status is showing as connected under the newly configured Integration Service.

Note

Repeat steps mentioned in To configure PATROL Agents to enable TLS 1.2 with security level 3 on additional PATROL Agents to connect to the newly configured Integration Service.

Post-configuration step

After migrating all the PATROL Agents to the new Integration Service, you can do one of the following:



To know more about PATROL Agent security considerations, see Security-guidelines-for-the-PATROL-Agent.

If you have any questions about the issue, contact Customer Support.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*