3.2 Network Communication Options

Various components of Change Guardian communicate across the network, and there are different types of communication protocols used throughout the system. All of these communication mechanisms affect the security of your system.

3.2.1 Using TLS for Communication

The TLS 1.0 communication protocol has known vulnerabilities. NetIQ recommends you to use TLS 1.1 or later for communication.

TLS 1.0 is disabled by default in new installations of the Change Guardian server, agents, and Policy Editor components to improve security posture and to prevent known vulnerabilities.

TLS 1.0 is not disabled by default in upgrade installations of the Change Guardian server, agents, and Policy Editor components in order to preserve backward compatibility with components that might not be upgraded yet. Once you upgrade all the components to the latest released versions, you can disable TLS 1.0. For more information, see Prerequisites.

The Change Guardian server, agents, and Policy Editor components allow TLSv1.0 for communication. To improve the security posture and to prevent known vulnerabilities, you can disable TLSv1.0. NetIQ recommends you to use TLS 1.1 or later for communication.

Prerequisites

You can disable TLS 1.0 manually after completing the following prerequisites:

  • Install curl-openssl1 on SLES 11 SP4 before disabling the TLS 1.0 protocol on the Change Guardian server. For information about the RPM prerequisites, see Traditional Change Guardian server Installation.

  • Upgrade Windows agents to 5.0 or later.

  • Upgrade Security Agent for UNIX to 7.5.1 or later.

  • Ensure that TLS 1.1 or a higher version is enabled for the SMTP server configured in Policy Editor.

  • Ensure that you have Microsoft .NET Framework 4.5 or later.

Disabling TLS 1.0

Perform the following steps on the Change Guardian server:

  1. Log in as novell user.

  2. Edit the /opt/novell/sentinel/jdk/jre/lib/security/java.security file.

  3. Add TLSv1 to the list of disabled algorithms as follows:

    Before: jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

    After: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, RC4, MD5withRSA, DH keySize < 768

    When TLSv1 is included in the list of disabled algorithms, it forces the use of TLS 1.1 or above.

  4. Run the following command to restart the Change Guardian server:

    /opt/netiq/cg/scripts/cg_services.sh restart

Enabling TLS 1.0

By default, TLS1.0 is disabled for new installations. You can enable the TLS1.0 protocol if you are required to integrate Change Guardian with components that do not have TLS 1.1 or higher enabled. For example: Security Agent for UNIX prior to 7.5.1 or an SMTP server using only TLS 1.0.

NOTE:NetIQ recommends that you do not enable TLS1.0 unless you want to ensure compatibility between the agents which support TLS1.0 and the Change Guardian server.

Perform the following steps on the Change Guardian server:

  1. Log in as the novell user.

  2. Edit the /opt/novell/sentinel/jdk/jre/lib/security/java.security file.

  3. Delete TLSv1 from the list of disabled algorithms as follows:

    Before: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, RC4, MD5withRSA, DH keySize < 768

    After: jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

  4. Run the following command to restart the Change Guardian server:

    /opt/netiq/cg/scripts/cg_services.sh restart

3.2.2 Disabling 3DES Ciphers

The 3DES ciphers are enabled on new installations and upgrade installations by default. You can disable the 3DES ciphers for additional security and to reduce known vulnerabilities.

Perform the following steps on the Change Guardian server to disable 3DES ciphers:

  1. Log in as the novell user.

  2. Edit the /etc/opt/novell/sentinel/3rdparty/jetty/jetty-ssl.xml file.

  3. Add the SSL_RSA_WITH_3DES_EDE_CBC_SHA cipher to the list of excluded ciphers.

    <Set name="ExcludeCipherSuites">

    <Array type="java.lang.String">

    ......

    .......

    <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>

    </Array>

  4. Run the following command to restart the Change Guardian services:

    /opt/netiq/cg/scripts/cg_services.sh restart

3.2.3 Secure Communication Profile

You must perform this procedure after upgrading all the components to the latest released versions.

If you have upgraded your Change Guardian server to 5.0, you must perform the following procedure to ensure that the most secure security communication profile is enabled. You must switch communication profiles if you want Change Guardian to be PCI compliant.

IMPORTANT:If you use UAM to install or upgrade Security Agent for UNIX, you must use profile_iqc. You must not switch the secure communication profile to profile_javos.

In case you want to use profile_javos, you must upgrade all the existing agents using CG AM only, before you switch the secure communication profile to profile_javos. After switching to profile_javos, you must perform any installations and upgrades only via CG AM.

You should not perform this procedure if you have Secure Configuration Manager also installed along with Change Guardian in the same environment, because the SCM Core registration fails when you switch the security communication profile. For more information on how to register SCM, see Registering SCM in Security Agent for UNIX documentation.

Prerequisites:

NetIQ recommends that you perform this procedure after upgrading all the components to the following minimum versions:

  • Change Guardian 5.0 (including all agents and Policy Editor clients).

  • Security Agent 7.5.1.

Perform the following steps:

  1. Log in as a root user.

  2. Run the following command to verify whether the profile_iqc is active: /opt/netiq/cg/javos/bin # ./javos_cert_setup.sh --show

    The following success message is displayed:

    Enabled profile: profile_iqc
  3. Run the following command to switch profile_iqc to profile_javos: /opt/netiq/cg/javos/bin # ./javos_cert_setup.sh --enable --profile=profile_javos.

  4. Run the following command to verify that profile_javos is active: /opt/netiq/cg/javos/bin # ./javos_cert_setup.sh --show.

    The following success message is displayed:

    Enabled profile: profile_javos
  5. (Conditional) If Change Guardian server is in FIPS mode, you should re-run the convert_to_fips.sh script.