Enhancing the PATROL Agent data security in TrueSight Operations Management
By default, during the TrueSight Presentation Server installation, a unique key is generated that is used to encrypt the PATROL Agent data credentials. This key is shared with the PATROL Agent when a PATROL Agent 10.7 or later versions connects to the Presentation Server. The same key is shared with all the PATROL Agents connected to this Presentation Server. The PATROL Agent uses this unique key to decrypt the data received from the TrueSight Presentation Server.
Post the TrueSight Presentation Server installation, you can change this key using the Presentation Server tssh command.
The following table explains the compatibility of dynamic encryption key functionality for different versions of the PATROL Agent, TrueSight Presentation Server, and TrueSight Infrastructure Management.
PATROL Agent | TrueSight Infrastructure Management | TrueSight Presentation Server | Dynamic key supported |
|---|---|---|---|
20.02 | 11.3.x | 11.3.x | Yes |
11.3.02 | 11.3.02, 11.3.03 | 11.3.02, 11.3.03 | Yes |
11.3.01 | 11.3.01 | 11.3.01 | Yes |
11.0 | 11.0 | 11.0 | Yes |
10.7 | 10.7 | 10.7 | Yes |
< 10.7 | 10.7 | 10.7 | No. The previous functionality (static encryption) will continue to work. |
10.7 | 10.7 | < 10.7 | No. The previous functionality (static encryption) will continue to work. |
10.7 | < 10.7 | 10.7 | Partially. PATROL Agent policy credentials are encrypted using dynamic encryption, but Infrastructure Management Agent Query command credentials are encrypted using static encryption mechanism. |
The following process flow diagrams explain the key exchange process between the Presentation Server and the PATROL Agent.
Key exchange process in the Presentation Server
The following section explains the sequence of steps in the Presentation Server.
- The PATROL Agent sends a public key to the Presentation Server as part of the agent registration process.
- Presentation Server uses a pre-generated unique key to encrypt the PATROL Agent data.
- This unique key is also encrypted using the public key received from the PATROL Agent.
- The encrypted data, and encrypted unique key is sent to the PATROL Agent.
Key exchange process in the PATROL Agent
The following section explains the sequence of steps in the PATROL Agent.
PATROL Agent decrypts the encrypted unique key using its private key.
Note: This unique key was encrypted in the Presentation Server using the PATROL Agent's public key and then sent to the PATROL Agent.
- This unique key is used to decrypt the PATROL Agent data received from the Presentation Server.
You can change the unique key post the installation of the TrueSight Presentation Server using a CLI command in the Presentation Server. For more information, see Changing the encryption key to secure PATROL Agent data.