2.3 Security and Privacy

PlateSpin Migrate provides several features to help you safeguard your data and increase security.

2.3.1 Secure Connections Using TLS 1.2

PlateSpin Migrate Server supports secure Transport Layer Security (TLS) 1.2 connections if TLS 1.2 is enabled in your environment. Migrate does not have a setting that forces clients to use TLS 1.2 to connect.

By default, PlateSpin Migrate Server accepts the .NET Framework default of TLS 1.0 for source workload connections. You can use Microsoft Windows Registry settings on source Windows workloads to force .NET Framework to choose TLS 1.2 when the workload connects with Migrate Server. A Microsoft update for .NET Framework might be required on the source workload in order to add support for TLS System Default Version settings. A reboot is required.

Configuring Source Workloads to Connect Using TLS 1.2

Microsoft .NET Framework versions earlier than 4.7 do not provide support for applications to use TLS System Default Versions as a cryptographic protocol. They use older versions of the TLS protocol (1.0/1.1), even if more secure protocols are available on the system. This default is not changed by PlateSpin. You can change the TLS system default version for all .NET applications to the more secure TLS 1.2 version.

An administrator user can apply a Microsoft Windows update called Support for TLS System Default Versions included in the .NET Framework on the source workload to add support for TLS 1.2 connections. The specific update depends on the operating system on the source workload.

After you apply the update, modify the Windows Registry settings for the SystemDefaultTlsVersions and SchUseStrongCrypto keys. The SystemDefaultTlsVersions settings change the behavior of .NET 3.5 and 2.0 applications. The SchUseStrongCrypto settings change the behavior of .NET 4.x applications. For more information, refer to the Microsoft Security Advisory 2960358 article.

NOTE:The Registry settings for .NET security are machine-wide settings that will impact all .NET applications on the source system.

To enable TLS 1.2 as the default cryptographic protocol for source workloads:

  1. Log in to the source workload as a user with administrative privileges.

  2. Download and install the Windows update Support for TLS System Default Versions included in the .NET Framework, according to the Windows operating system on the source workload.

    Windows Operating System

    Microsoft .NET Framework Version

    Windows Update with TLS 1.2 Support
    • Windows Server 2016

    4.7 or higher

    No patch is required.
    • Windows Server 2012 R2
    • Windows 8.1

    3.5 SP1

    Support for TLS System Default Versions included in the .NET Framework version 3.5 SP1 (Microsoft KB Article 3154520)
    • Windows Server 2012
    • Windows 8

    3.5

    Support for TLS System Default Versions included in the .NET Framework version 3.5 (Microsoft KB Article 3154519)
    • Windows Server 2008 R2 SP1
    • Windows 7 SP1

    3.5.1

    Support for TLS System Default Versions included in the .NET Framework version 3.5.1 (Microsoft KB Article 3154518)
    • Windows Server 2008 SP2

    2.0 SP2

    Support for TLS System Default Versions included in the .NET Framework version 2.0 SP2 (Microsoft KB Article 3154517)

    Windows Server 2003

     

    Windows Server 2003 does not support TLS 1.2.

  3. Direct .NET Framework on the source workload to use a more secure version of TLS by using the Windows Registry Editor to apply the following Windows Registry settings:

    Registry Settings for 64-bit Systems

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

    Registry Settings for 32-bit Systems

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

  4. (Windows Server 2008 R2 and earlier) Enable TLS 1.2 on the sourced workload by using the Windows Registry Editor to apply the following Windows Registry change:

    Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
Value Name: "DisabledByDefault"
Value Type: DWORD
Value Data: 0

    This change is required because Windows Server 2008 R2 and earlier operating systems disable TLS 1.2 by default, while Windows Server 2012 and later operating systems enable TLS 1.2 by default.

  5. Reboot the source workload.

2.3.2 Security of Workload Data in Transmission

To make the transfer of your workload data more secure, you can configure your migration jobs to encrypt the data in transit to the target. When encryption is enabled, over-the-network data transfer from the source to the target is encrypted by using 128-bit Advanced Encryption Standard (AES).For information about how to enable encryption during data transfer for a migration job, see Section 26.11, Conversion (Data Transfer Method).

You can configure your PlateSpin Server to use a data encryption algorithm that is compliant with FIPS (Federal Information Processing Standards, Publication 140-2). If compliance with FIPS is required, it must be set up on your system prior to the PlateSpin Server installation. See Enabling Support for FIPS-Compliant Data Encryption Algorithms (Optional) in your Installation Guide.

If FIPS is enabled in a source workload, ensure that the EnforceFIPSCompliance parameter is enabled on the PlateSpin Migrate server before you discover the source workload. See Section 5.3, Enforcing FIPS Compliance for FIPS-Enabled Source Workloads.

2.3.3 Security of Client-Server Communications

Data transmission between the PlateSpin Server and the PlateSpin Migrate Client can be configured to use either HTTP (default) or HTTPS (Secure Hypertext Transfer Protocol). To secure data transmission between the client and the server, enable SSL on your PlateSpin Server host and use HTTPS when specifying the server URL. See Connecting to a PlateSpin Migrate Server.

2.3.4 Security of Credentials

Credentials that you use to access sources and targets in workload migration jobs are:

  • Cached, encrypted, and securely stored by the PlateSpin Migrate Client, by using operating system APIs.

  • Stored in the PlateSpin Migrate database and are therefore covered by the same security safeguards that you have in place for PlateSpin Server hosts.

  • Included within diagnostics, which are accessible to accredited users. You should ensure workload migration projects are handled by authorized staff.

2.3.5 User Authorization and Authentication

PlateSpin Migrate provides a role-based user authorization and authentication mechanism. See Section 4.1, Configuring User Authorization and Authentication.

NOTE:If you have installed a PlateSpin Migrate Server localized for one language and a PlateSpin Migrate Client localized for a different language, do not use authorization credentials that include any language-specific characters. Using such characters in the login credentials causes miscommunication between the client and the server: the credentials are rejected as invalid.