This section provides information about the configuring the following for secured communication.
Various components of Change Guardian communicate across the network and there are different types of communication protocols used throughout the system. All of these communication mechanisms affect the security of your system.
Change Guardian provides two security profiles for communication, profile_iqc and profile_javos:
The legacy, profile_iqc, is the default on any Change Guardian installation prior to version 5.0. To avoid breaking of communication between components in your Change Guardian environment, you must continue to use profile_iqc provided one or more of the following statements are true:
One or more of your Change Guardian Agent for Windows instance versions is prior to 5.0.
One or more of your PE client instance versions is prior to version 5.0.
One or more of your Security Agent for UNIX instance versions is prior to 7.5.1.
One or more of your Security Agent for UNIX instances is being used for both Change Guardian and Secure Configuration Manager.
You want to continue using UNIX Agent Manager to install or upgrade your Security Agent for UNIX, instead of Change Guardian Agent Manager.
The enhanced, newer, profile_javos is more secure and the default profile on any Change Guardian installation 5.0 and later. You can switch Change Guardian and all it’s components to use profile_javos if all of the following are true:
All Change Guardian components (Change Guardian Server, Policy Editor clients and Change Guardian Agent for Windows) are upgraded to version 5.0 and later.
All Security Agent for UNIX instances are upgraded to 7.5.1 and later.
You are ready to use Change Guardian Agent Manager for all future management of Security Agent for UNIX; UNIX Agent Manager is not compatible with the profile_javos.
Your instances of Security Agent for UNIX are not being used for both, Change Guardian and Secure Configuration Manager.
The Change Guardian server, agents, and Policy Editor components allow TLS 1.0 for communication. To improve the security posture and to prevent known vulnerabilities, you can disable TLS 1.0.
Following sections provide information about configuring TLS.
You can disable TLS 1.0 manually after completing the following prerequisites:
Upgrade Change Guardian Agent for Windows to 5.0 or later.
Upgrade Security Agent for UNIX to 7.5.1 or later.
Ensure that TLS 1.1 or a higher version is enabled for the SMTP server configured in Policy Editor.
Ensure that you have Microsoft .NET Framework 4.5 or later on Policy Editor clients and all Windows and Active Directory machines you must monitor.
To disable TLS 1.0:
Log in as novell user.
Edit the /opt/novell/sentinel/jdk/jre/lib/security/java.security file.
Add TLSv1 to the list of disabled algorithms as follows:
Before: jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
After: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, RC4, MD5withRSA, DH keySize < 768
When TLSv1 is included in the list of disabled algorithms, it forces the use of TLS 1.1 or above.
Run the following command to restart the Change Guardian server:
/opt/netiq/cg/scripts/cg_services.sh restart
By default, TLS1.0 is disabled for new installations.
NOTE:You must not enable TLS1.0, unless you want to ensure compatibility between the agents which support TLS1.0 and the Change Guardian server. For example, Security Agent for UNIX prior to 7.5.1 or an SMTP server using only TLS 1.0.
Perform the following steps on the Change Guardian Server:
Log in as novell user.
Edit the /opt/novell/sentinel/jdk/jre/lib/security/java.security file.
Delete TLSv1 from the list of disabled algorithms as follows:
Before: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, RC4, MD5withRSA, DH keySize < 768
After: jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
Run the following command to restart the Change Guardian server:
/opt/netiq/cg/scripts/cg_services.sh restart
To configure trusted connections when authenticating to the Administration Console, you must install valid certificates on the Change Guardian server.
Following sections provide information about configuring certificates.
Use the command line tool provided on the Change Guardian server to install the certificates.
To install certificates on the server:
Switch user to novell.
Go to /opt/novell/sentinel/setup directory.
(Optional) Generate certificate signing requests using the./ssl_certs_cg command, and make the following selections:
Generate certificate signing requests
Web Server.
Specify a certificate signing request (.csr) filename
Get your generated .csr file signed by a certificate authority (CA)
Copy the CA root certificate chain (ca.crt) and the signed certificate (.crt) to /opt/novell/sentinel/setup.
Import the CA root certificate chain and the web server certificate by using the following commands:
./ssl_certs_cg
At the menu prompt, select Import certificate authority root certificate.
Enter the CA root certificate chain file name (ca.crt).
At the menu prompt, select Import certificate signed by certificate authority.
When prompted, select Web Server.
Specify the name of the file that contains the CA’s signed digital certificate.
Select another service if necessary, or select Done and exit from the service option.
At the menu prompt, select Exit to exit from the TLS/SSL certificate configuration.
Restart the Change Guardian server using service sentinel restart.
Import the CA root certificate change to the computer where you use the Administration Console.
You can use CA-signed certificates in place of the self-signed certificates that is provided by Change Guardian.
To replace the self-signed certificates on the server:
Switch user to novell.
Create a backup of the existing certs folder, which is located at /opt/netiq/cgutils/certs.
Create a new certs folder at /opt/netiq/cgutils/.
Copy the CA-signed certificates to /opt/netiq/cgutils/certs
Change the permission of the certs folder by using the following command:
chmod 700 /opt/netiq/cgutils/certs
Rename the CA-signed certificate files as below:
cgca-cert.pem: The root CA certificate
cgca-pk.pem: The private key
cgca-pk.pem.pass: The private key password
Change the ownership of the CA-signed files by running the following command: chown novell:novell /opt/netiq/cgutils/certs/*
Go to the /opt/netiq/cgutils/bin directory and run the following command:./cg_cert_setup.sh
The required certificates are created in the /opt/netiq/cgutils/certs/ directory.
To verify that the new certificates have the new CA name in the issuer field, run the following commands:
openssl x509 -in amsca-cert.pem -noout -text
openssl x509 -in javosca-cert.pem -noout -text
Go to /opt/netiq/ams/ams/bin directory and run the following commands:
./ams_cert_setup.sh --setup --profile=ams_new_profile_name
./ams_cert_setup.sh --enable --profile=ams_new_profile_name
NOTE:It is recommended to keep the default profiles and create the profile with a different name.
To confirm that the profile is enabled, run the following command: ./ams_cert_setup.sh --show
Go to /opt/netiq/cg/javos/bin/ directory and run the following commands:
./javos_cert_setup.sh --setup --profile=javos_new_profile_name
./javos_cert_setup.sh --enable --profile=javos_new_profile_name
To confirm that the profile is enabled, run the following command: ./javos_cert_setup.sh --show
(Conditional) If the Change Guardian server is in FIPS mode, then run the following commands:
./opt/netiq/ams/ams/bin/convert_to_fips.sh
./opt/netiq/cg/javos/bin/convert_to_fips.sh
(Optional) To test if the certificates are replaced successfully, remotely deploy an agent using Agent Manager and generate an event.
Change Guardian contains embedded third-party products such as JRE, Jetty, PostgreSQL, and ActiveMQ. Change Guardian includes patches to address the security vulnerabilities (CVE) for these products when updates for Change Guardian are released.
However, each of these products has its own release cycle, which means that there might be CVEs that are discovered before a Change Guardian update is released. You need to separately review the CVEs for each embedded third-party product, and decide whether to apply these updates to your Change Guardian system outside of the Change Guardian updates.
If you decide to apply patches to address these CVEs outside of a Change Guardian update, contact Technical Support.