Within any single management site, choose the level of security for communication between the management server and all of the agent computers. Agent installation offers extra security options to encrypt agent-to-management server communications, or to encrypt communications and require agents to authenticate the management server. In most cases, you do not need to use these extra options, which add some overhead to production servers and the management server.
If you do not choose one of the extra security options, AppManager transmits data between the management server and agents without encryption, and agents do not authenticate the identity of management servers. AppManager always encrypts passwords, so even without extra agent security options, only user names are sent as clear text over the network. If you require a password for access to a particular application, like SQL, the password is encrypted in a table. That encrypted password is sent to the agent, which records it locally, still encrypted. Only when a job executes will the password be unencrypted and used to gain access to the application. This lowest security setting is appropriate for a closed network environment, but some organizations require greater security to ensure data privacy and integrity and to help prevent potential attacks from unauthorized, external sources.
When you install agents, the following options are available for securing communications between management servers and agents:
Encrypted communications only (security level 1) provides a basic level of security with little impact on performance. If you select this option, AppManager encrypts data transmissions between agents and management servers using a session key it generates dynamically when the management server starts, but does not require agents to authenticate the management servers with which they communicate.
Authentication and encrypted communications (security level 2) provides an additional layer of security, but requires additional steps for managing and distributing keys. If you select this option, AppManager encrypts data transmissions between agents and management servers and requires agents to authenticate management servers using a predefined key before they transmit data. AppManager stores the key information in the QDB and makes a portion of it available for agent computers to use.
For Windows agents, this option requires the 128-bit Windows High Encryption Pack, which you might need to install on the agent computer. The High Encryption Pack can be exported from the U.S. to worldwide destinations, except where expressly restricted.
For either security level, AppManager uses 40-bit RPC encryption.
Although you manage secure communication separately for Windows agents and UNIX agents, all management servers and agent computers in a management site should use the same level of security. For either platform, you cannot mix security levels. For example, you cannot set some Windows agent computers to use clear text or encryption while other Windows agent computers use authentication and encryption. If you choose Authentication and encrypted communications, all agents within the same site must use the same key file.
If you choose Encrypted communications only or Authentication and encrypted communications, AppManager implements FIPS-compliant algorithms. FIPS compliance does not affect unencrypted communications. For more information about FIPS-compliant security, see Understanding FIPS Compliance.
For more information about installing agents, see the Installation Guide for AppManager, available on the AppManager Documentation page.
Although you normally set the security level for a site during installation, you can change the security level after installation using the NQKeyGenWindows.exe program for Windows agents, or the NQKeyGenUNIX.exe program for UNIX agents. Changing the security level after installation may interrupt or prevent communication between the management server and agent computers, at least temporarily. Therefore, avoid changing the security level, if possible, or plan carefully for any changes to reduce disruption to your environment.
You can also use the programs any time you need to create and manage key file information for one of the agent security options. For more information about using the programs, see Managing Secure Communication for Agents.