2014 IBM Corporation

Transcription

1 2014 IBM Corporation

2 This is the 27 th Q&A event prepared by the IBM License Metric Tool Central Team (ICT) Currently we focus on version 9.x of IBM License Metric Tool (ILMT) The content of today s session also applies to Software Use Analysis (SUA) in version 9.x The session is for all ILMT users IBMers, Business Partners and Customers The teleconference is set to mute. Use the web conference chat to communicate with the ILMT subject matter experts The presentation is recorded and will be available to watch on the ILMT YouTube channel as well as to download from the ILMT Wiki soon 2

3

4 Flow of data Configuring secure communication Federal Information Processing Standard (FIPS) Standard Recommendation SP Managing a certificate Existing certificate authority (CA) Private certificate authority Authenticating users with Lightweight Directory Access Protocol (LDAP) Demo Questions & Answers Survey 4

5 5

6 6

7 7

8 8

9 Security Requirements Security Configuration Scenarios 01.ibm.com/support/knowledgecenter/SSKLLW_9.1.0/com.ibm.tivoli.tem.doc_9.1/Platform/Adm/c_scenarios_sha2_installation.html Client Authentication 01.ibm.com/support/knowledgecenter/SSKLLW_9.1.0/com.ibm.tivoli.tem.doc_9.1/Platform/Console/ClientAuthentication.html%23ClientAuthe ntication Managing Client Encryption 01.ibm.com/support/knowledgecenter/SSKLLW_9.1.0/com.ibm.tivoli.tem.doc_9.1/Platform/Config/c_managing_client_encryption.html 9

10 10

11 A digital certificate is a signed public key that is accompanied by information about the key owner The public key always has a private key that is associated with it The License Metric Tool server can use SSL if the server possesses both the certificate and the private key that is associated with it Security of your access to the web console of License Metric Tool depends on the security of the digital certificate, and its private key, that the server uses for protecting the communication By default, SSL is enabled on the server, however, the initial configuration is based on a temporary self-signed certificate and is not intended to be used in the production environment The initial certificate should be replaced with a server certificate that is signed by a certificate authority (CA) that you trust 11

12 12

13 Federal Information Processing Standards (FIPS) are standards and guidelines that are issued by the National Institute of Standards and Technology (NIST) for federal government computer systems You can configure License Metric Tool to be compliant with the Federal Information Processing Standard requirements that are related to encryption 13

14 FIPS is the standard that defines the security requirements for cryptographic modules that are used within a system that handles sensitive but unclassified information Compliance with the FIPS has two aspects that affect ILMT the algorithms that are used to manage sensitive data must be FIPS-approved FIPS-approved implementation must be used when data is transmitted with the SSL/TLS 14

15 IBM License Metric Tool 9.0 uses the FIPS approved cryptographic providers for cryptography: IBMJCEFIPS (certificate 376) IBMJSSEFIPS (certificate 409) IBM Crypto for C (ICC) (certificate 384) 15

16 At the start of the 21 st century, the National Institute of Standards and Technology (NIST) began the task of providing cryptographic key management guidance, which includes defining and implementing appropriate key management procedures, using algorithms that adequately protect sensitive information, and planning ahead for possible changes in the use of cryptography because of algorithm breaks or the availability of more powerful computing techniques NIST Special Publication (SP) , Part 1 was the first document produced in this effort, and includes a general approach for transitioning from one algorithm or key length to another This Recommendation (SP A) provides more specific guidance for transitions to the use of stronger cryptographic keys and more robust algorithms

17 SP requires longer key lengths and stronger cryptography The SP specification also provides a transition configuration to enable users to move to a strict enforcement of SP The transition configuration also enables users to run with a mixture of settings from both FIPS140-2 and SP SP can be run in two modes transition strict The transition mode is offered to give you a setting to move your environment to SP strict mode In transition mode, it is optional to use the SP required certificates and to set the protocol to SP

18 The following requirements must be fulfilled to allow for the strict enforcement of SP : The use of the TLS version 1.2 protocol for the Secure Sockets Layer (SSL) context Certificates must have a minimum length of 2048 bytes. An Elliptic Curve (EC) certificate requires a minimum size of 244-bit curves Certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512 Valid signature algorithms include: SHA256 with RSA SHA384 with RSA SHA512 with RSA SHA256 with ECDSA SHA384 with ECDSA SHA512 with ECDSA SP approved cipher suites 18

19 IBM License Metric Tool profile gives setup possibility to meet the SP requirement that is originated by the National Institute of Standards and Technology You can configure License Metric Tool to run in SP strict or transition mode 19

20 When you configure security settings, ensure that the combination of security modes that you set up on the side of Endpoint Manager and License Metric Tool is supported Legend: - the mode is enabled ANY - the mode is either enabled or disabled 20

21 21

22 The self-signed certificate that is provided with License Metric Tool is not intended to be used in the production environment Replace it with a certificate that is signed by a certificate authority (CA) of your choice To have a certificate, you need to generate a private key, a public key, and a certificate signing request (CSR) that is associated with the public key Next, a certificate authority must sign this request and there are two ways to get a certificate signing request signed: send it to an existing certificate authority, e.g. Entrust Verisign CA of your organization create a private CA 22

23 Existing certificate authority (CA) You can use an existing CA to sign your certificate signing request (CSR) The root certificates of popular CAs are imported into new web browsers by default Private certificate authority You can create a private CA and use it for signing the CSR A private CA can be created on any computer with an operating system that supports openssl 23

24 24

25 Lightweight Directory Access Protocol (LDAP) is a set of client/server protocols for accessing and managing information directories LDAP supports TCP/IP protocol for communication and uses simple string formats for data transfer LDAP is cross-platform and standards-based, therefore applications do not need to worry about the type of server hosting the directory LDAP is a simplified variation of X.500 Directory Access Protocol 25

26 IBM License Metric Tool (ILMT) 9.0 supports authentication through a Lightweight Directory Access Protocol (LDAP) server ILMT server configuration consists of a few steps: Creation of a directory that the application would link to Creation a user that would link to the created directory Users integration with ILMT using the LDAP protocol Integrating users with Web Reports 26

27 27

28 28

29 2014 IBM Corporation