2.1 Securing Communication Across the Network

The various components of Sentinel Log Manager communicate across the network, and there are different types of communication protocols used throughout the system. All of these communication mechanisms affect the security of your system.

2.1.1 Communication between Sentinel Log Manager Processes

Sentinel Log Manager processes include the Sentinel Log Manager server, Tomcat, and Collector Manager. They communicate with each other by using ActiveMQ*.

The communication between these server processes is by default over SSL via the ActiveMQ message bus. The processes use SSL by reading the following information in <Install_Directory>/config/configuration.xml:

 <jms brokerURL="ssl://localhost:61616?wireFormat.maxInactivityDuration=0&amp;jms.copyMessageOnSend=false" interceptors="compression" keystore="../config/.activemqclientkeystore.jks" keystorePassword="password" password="1fef3bcdd3fbcbc5cd795346a9f04ddc" username="system"/>

The jms strategy shown in this XML snippet defines how the Sentinel Log Manager process connects to the server. This snippet defines the client side settings of the connection.

Table 2-1 XML Entries in the configuration.xml File

XML Entry



Indicates that SSL is used for secure connection. You should not modify this value.


The hostname or IP address where the Java* message service (JMS) server is running.


The port that the JMS server is listening on.


This is where ActiveMQ configuration parameters are passed to the transport mechanism. These entries should be modified only if you are an expert in ActiveMQ.


Enables compression over the connection. You should not modify this value.


The path to the Java keystore, which is used to check if the server is trusted.


The password to the Java keystore file.


The password to present to ActiveMQ for authenticating the connection. This corresponds to a password in the Install_Directory/config/activemqusers.properties file.


The username to present to ActiveMQ for authenticating the connection. This corresponds to a username in the Install_Directory/config/activemqusers.properties file.

The server-side settings are defined in the Install_Directory/config/activemq.xml file. For instructions on how to edit the activemq.xml file, see the ActiveMQ Web site. However, Novell does not support the modification of the server-side settings.

2.1.2 Communication between Sentinel Log Manager and the Event Source Manager Client Application

The Sentinel Log Manager Event Source Management (ESM) client application by default uses SSL communication via the SSL proxy server.

For an architectural representation, see Novell Sentinel Log Manager Architecture in the Sentinel Log Manager Installation Guide.

ESM knows to use SSL by reading the following information in Install_Directory/config/configuration.xml:

<strategy active="yes" id="proxied_client" location="com.esecurity.common.communication.strategy.proxystrategy.ProxiedClientStrategyFactory">
      <transport type="ssl">
        <ssl host="" port="10013" keystore="./novell/sentinel/.proxyClientKeystore" />

2.1.3 Communication between the Server and the Database

The protocol used for communication between the server and the database is defined by a JDBC* driver.

Sentinel Log Manager uses the PostgreSQL* driver (postgresql-version.jdbc3.jar) to connect to the PostgreSQL database, which is a Java (Type IV) implementation. This driver supports encryption for data communication. To download the driver, refer to the PostgreSQL Download Page. To configure the encryption, refer to PostgreSQL Encryption Options.

NOTE:Turning encryption on has a negative impact on the performance of the system. Therefore, this security concern needs to be weighed against your performance needs. The database communication is not encrypted by default for this reason. Lack of encryption is not a major concern because communication with the database occurs over the localhost network interface.

2.1.4 Communication between the Collector Managers and Event Sources

You can configure Sentinel Log Manager to securely collect data from various event sources. However, secured data collection is determined by the specific protocols supported with the event source. For example, the Check Point LEA, Syslog, and Audit Connectors can be configured to encrypt their communication with event sources.

For more information on the possible security features that can be enabled, refer to the Connector and Event source vendor documentation.

2.1.5 Communication with Web Browsers

The Web server is by default configured to communicate via HTTPS. For more information, see the Tomcat documentation.

2.1.6 Communication between the Database and Other Clients

You can configure the PostgreSQL SIEM database to allow connections from any client machine that uses pgAdmin or another third-party application.

To allow pgAdmin to connect from any client machine, add the following line in the Install_Dirirectory/3rdparty/postgresql/data/pg_hba.conf file:

host   all    all      md5

If you want to limit the client connections that are allowed to run and connect to the database through pgAdmin, specify the IP address of the host in the above line. The following line in the pg_hba.conf file is an indicator to PostgreSQL to accept connections from the local machine so that pgAdmin is allowed to run only on the server.

host   all    all   md5

To allow connections from other client machines, you can add additional host entries in the pg_hba.conf file.

To provide maximum security, by default, PostgreSQL only allows connections from the local machine.

2.1.7 Communication between Sentinel Log Manager and NFS/CIFS Archive Servers

Sentinel Log Manager can be configured to archive event and raw data to a remote CIFS or NFS* server. These protocols do not offer data encryption, so consider security implications before deciding the type of archive location to use. An alternative is to use direct attached storage (local or SAN), which does not suffer from the same security vulnerabilities. If you choose to use CIFS or NFS, it is important to configure the CIFS or NFS server properly to maximize the security of your data.

For more information about configuring the archive server settings, see Configuring Archive Server Settings in the Sentinel Log Manager Installation Guide.