2014 IBM Corporation
This is the 27 th Q&A event prepared by the IBM License Metric Tool Central Team (ICT) Currently we focus on version 9.x of IBM License Metric Tool (ILMT) The content of today s session also applies to Software Use Analysis (SUA) in version 9.x The session is for all ILMT users IBMers, Business Partners and Customers The teleconference is set to mute. Use the web conference chat to communicate with the ILMT subject matter experts The presentation is recorded and will be available to watch on the ILMT YouTube channel as well as to download from the ILMT Wiki soon 2
LMTHelp@us.ibm.com https://ibm.biz/ilmt_forum https://ibm.biz/ilmt_wiki https://ibm.biz/ilmt_youtube https://ibm.biz/ilmt_twitter https://ibm.biz/ilmt_linkedin 3
Flow of data Configuring secure communication Federal Information Processing Standard (FIPS) Standard 140-2 Recommendation SP 800-131 Managing a certificate Existing certificate authority (CA) Private certificate authority Authenticating users with Lightweight Directory Access Protocol (LDAP) Demo Questions & Answers Survey 4
5
6
7
8
Security Requirements http://www-01.ibm.com/support/knowledgecenter/sskllw_9.1.0/com.ibm.tivoli.tem.doc_9.1/platform/adm/c_security_requirements.html Security Configuration Scenarios http://www- 01.ibm.com/support/knowledgecenter/SSKLLW_9.1.0/com.ibm.tivoli.tem.doc_9.1/Platform/Adm/c_scenarios_sha2_installation.html Client Authentication http://www- 01.ibm.com/support/knowledgecenter/SSKLLW_9.1.0/com.ibm.tivoli.tem.doc_9.1/Platform/Console/ClientAuthentication.html%23ClientAuthe ntication Managing Client Encryption http://www- 01.ibm.com/support/knowledgecenter/SSKLLW_9.1.0/com.ibm.tivoli.tem.doc_9.1/Platform/Config/c_managing_client_encryption.html 9
10
A digital certificate is a signed public key that is accompanied by information about the key owner The public key always has a private key that is associated with it The License Metric Tool server can use SSL if the server possesses both the certificate and the private key that is associated with it Security of your access to the web console of License Metric Tool depends on the security of the digital certificate, and its private key, that the server uses for protecting the communication By default, SSL is enabled on the server, however, the initial configuration is based on a temporary self-signed certificate and is not intended to be used in the production environment The initial certificate should be replaced with a server certificate that is signed by a certificate authority (CA) that you trust 11
12
Federal Information Processing Standards (FIPS) are standards and guidelines that are issued by the National Institute of Standards and Technology (NIST) for federal government computer systems You can configure License Metric Tool to be compliant with the Federal Information Processing Standard requirements that are related to encryption http://csrc.nist.gov/ 13
FIPS 140-2 is the standard that defines the security requirements for cryptographic modules that are used within a system that handles sensitive but unclassified information Compliance with the FIPS 140-2 has two aspects that affect ILMT the algorithms that are used to manage sensitive data must be FIPS-approved FIPS-approved implementation must be used when data is transmitted with the SSL/TLS http://csrc.nist.gov/publications/pubsfips.html 14
IBM License Metric Tool 9.0 uses the FIPS 140-2 approved cryptographic providers for cryptography: IBMJCEFIPS (certificate 376) IBMJSSEFIPS (certificate 409) IBM Crypto for C (ICC) (certificate 384) http://csrc.nist.gov/publications/pubsfips.html 15
At the start of the 21 st century, the National Institute of Standards and Technology (NIST) began the task of providing cryptographic key management guidance, which includes defining and implementing appropriate key management procedures, using algorithms that adequately protect sensitive information, and planning ahead for possible changes in the use of cryptography because of algorithm breaks or the availability of more powerful computing techniques NIST Special Publication (SP) 800-57, Part 1 was the first document produced in this effort, and includes a general approach for transitioning from one algorithm or key length to another This Recommendation (SP 800-131A) provides more specific guidance for transitions to the use of stronger cryptographic keys and more robust algorithms http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf 16
SP 800-131 requires longer key lengths and stronger cryptography The SP 800-131 specification also provides a transition configuration to enable users to move to a strict enforcement of SP 800-131 The transition configuration also enables users to run with a mixture of settings from both FIPS140-2 and SP 800-131 SP 800-131 can be run in two modes transition strict The transition mode is offered to give you a setting to move your environment to SP 800-131 strict mode In transition mode, it is optional to use the SP800-131 required certificates and to set the protocol to SP 800-131 17
The following requirements must be fulfilled to allow for the strict enforcement of SP 800-131: The use of the TLS version 1.2 protocol for the Secure Sockets Layer (SSL) context Certificates must have a minimum length of 2048 bytes. An Elliptic Curve (EC) certificate requires a minimum size of 244-bit curves Certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512 Valid signature algorithms include: SHA256 with RSA SHA384 with RSA SHA512 with RSA SHA256 with ECDSA SHA384 with ECDSA SHA512 with ECDSA SP 800-131 approved cipher suites 18
IBM License Metric Tool profile gives setup possibility to meet the SP 800-131 requirement that is originated by the National Institute of Standards and Technology You can configure License Metric Tool to run in SP 800-131 strict or transition mode 19
When you configure security settings, ensure that the combination of security modes that you set up on the side of Endpoint Manager and License Metric Tool is supported Legend: - the mode is enabled ANY - the mode is either enabled or disabled 20
21
The self-signed certificate that is provided with License Metric Tool is not intended to be used in the production environment Replace it with a certificate that is signed by a certificate authority (CA) of your choice To have a certificate, you need to generate a private key, a public key, and a certificate signing request (CSR) that is associated with the public key Next, a certificate authority must sign this request and there are two ways to get a certificate signing request signed: send it to an existing certificate authority, e.g. Entrust Verisign CA of your organization create a private CA 22
Existing certificate authority (CA) You can use an existing CA to sign your certificate signing request (CSR) The root certificates of popular CAs are imported into new web browsers by default Private certificate authority You can create a private CA and use it for signing the CSR A private CA can be created on any computer with an operating system that supports openssl 23
24
Lightweight Directory Access Protocol (LDAP) is a set of client/server protocols for accessing and managing information directories LDAP supports TCP/IP protocol for communication and uses simple string formats for data transfer LDAP is cross-platform and standards-based, therefore applications do not need to worry about the type of server hosting the directory LDAP is a simplified variation of X.500 Directory Access Protocol 25
IBM License Metric Tool (ILMT) 9.0 supports authentication through a Lightweight Directory Access Protocol (LDAP) server ILMT server configuration consists of a few steps: Creation of a directory that the application would link to Creation a user that would link to the created directory Users integration with ILMT using the LDAP protocol Integrating users with Web Reports 26
27
28
2014 IBM Corporation