Various components of Change Guardian communicate across the network, and there are different types of communication protocols used throughout the system. All of these communication mechanisms affect the security of your system.
The TLS 1.0 communication protocol has known vulnerabilities. You must use TLS 1.1 or later for communication.
TLS 1.0 is disabled by default in new installations of the Change Guardian server, agents, and Policy Editor components to improve security posture and to prevent known vulnerabilities.
TLS 1.0 is not disabled by default in upgrade installations of the Change Guardian server, agents, and Policy Editor components in order to preserve backward compatibility with components that might not be upgraded yet. Once you upgrade all the components to the latest released versions, you can disable TLS 1.0. For more information, see Prerequisites.
The Change Guardian server, agents, and Policy Editor components allow TLSv1.0 for communication. To improve the security posture and to prevent known vulnerabilities, you can disable TLSv1.0.
You can disable TLS 1.0 manually after completing the following prerequisites:
Upgrade Windows agents to 5.0 or later.
Upgrade Security Agent for UNIX to 7.5.1 or later.
Ensure that TLS 1.1 or a higher version is enabled for the SMTP server configured in Policy Editor.
Ensure that you have Microsoft .NET Framework 4.5 or later on Policy Editor clients and all Windows and Active Directory machines you must monitor.
Perform the following steps on the Change Guardian Server:
Log in as novell user.
Edit the /opt/novell/sentinel/jdk/jre/lib/security/java.security file.
Add TLSv1 to the list of disabled algorithms as follows:
Before: jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
After: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, RC4, MD5withRSA, DH keySize < 768
When TLSv1 is included in the list of disabled algorithms, it forces the use of TLS 1.1 or above.
Run the following command to restart the Change Guardian server:
/opt/netiq/cg/scripts/cg_services.sh restart
By default, TLS1.0 is disabled for new installations.
NOTE:You must not enable TLS1.0, unless you want to ensure compatibility between the agents which support TLS1.0 and the Change Guardian server. For example, Security Agent for UNIX prior to 7.5.1 or an SMTP server using only TLS 1.0.
Perform the following steps on the Change Guardian Server:
Log in as novell user.
Edit the /opt/novell/sentinel/jdk/jre/lib/security/java.security file.
Delete TLSv1 from the list of disabled algorithms as follows:
Before: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, RC4, MD5withRSA, DH keySize < 768
After: jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
Run the following command to restart the Change Guardian server:
/opt/netiq/cg/scripts/cg_services.sh restart
Change Guardian provides two security profiles for communication, profile_iqc and profile_javos:
The legacy, profile_iqc, is the default on any Change Guardian installation prior to version 5.0. To avoid breaking of communication between components in your Change Guardian environment, you must continue to use profile_iqc as long as one or more of the following statements are true:
One or more of your Windows agent instance versions is prior to 5.0.
One or more of your PE client instance versions is prior to version 5.0.
One or more of your Security Agent for UNIX instance versions is prior to 7.5.1.
One or more of your Security Agent for UNIX instances is being used for both Change Guardian and Secure Configuration Manager.
You want to continue using UNIX Agent Manager to install or upgrade your Security Agent for UNIX, instead of Change Guardian Agent Manager.
The enhanced, newer, profile_javos is more secure and the default on any Change Guardian installation 5.0 and later. You can switch Change Guardian and all it’s components to use profile_javos if all of the following are true:
All Change Guardian components (Change Guardian Server, Policy Editor clients and windows agents) are upgraded to version 5.0 and later.
All Security Agent for UNIX instances are upgraded to 7.5.1 and later.
You are ready to use Change Guardian Agent Manager for all future management of Security Agent for UNIX; UNIX Agent Manager is not compatible with the profile_javos.
Your instances of Security Agent for UNIX are not being used for both, Change Guardian and Secure Configuration Manager.
If you have upgraded your Change Guardian server to 5.0 and later but have not switched to profile_javos yet, you must perform the following procedure to ensure that the enhanced security profile is enabled. You must switch security profiles if you want Change Guardian to be PCI compliant.
IMPORTANT:If you use UAM to install or upgrade Security Agent for UNIX, you must use profile_iqc. You must not switch the secure communication profile to profile_javos.
In case you want to use profile_javos, you must upgrade all the existing agents using CG AM only, before you switch the secure profile to profile_javos. After switching to profile_javos, you must perform any installations and upgrades only via CG AM.
You should not perform this procedure if you have Secure Configuration Manager also installed along with Change Guardian in the same environment, because the SCM Core registration fails when you switch the security communication profile. For more information on how to register SCM, see Registering SCM in Security Agent for UNIX documentation.
Prerequisites:
Perform this procedure after upgrading all the components to the latest versions and following minimum versions:
Change Guardian 5.0 and later (including all agents and Policy Editor clients).
Security Agent 7.5.1 and later.
NOTE:This procedure applies to the upgrade path from Change Guardian version 4.x to 5.0 and then 5.1 but not directly from version 5.0 to 5.1.
Perform the following steps:
Log in as a root user.
Run the following command to verify whether the profile_iqc is active: /opt/netiq/cg/javos/bin # ./javos_cert_setup.sh --show
The following success message is displayed:
Enabled profile: profile_iqc
Run the following command to switch profile_iqc to profile_javos: /opt/netiq/cg/javos/bin # ./javos_cert_setup.sh --enable --profile=profile_javos.
Run the following command to verify that profile_javos is active: /opt/netiq/cg/javos/bin # ./javos_cert_setup.sh --show.
The following success message is displayed:
Enabled profile: profile_javos
(Conditional) If Change Guardian server is in FIPS mode, you should re-run the convert_to_fips.sh script.