ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Encryption level information for SMAgent to SMP, SMP to SQL, and SMP to AD

book

Article ID: 150373

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Question:

What are the levels of encryption we use in the following communication within 7.6 HF7 and later?:

1. Agent to SMP

2. SMP to SQL

3. SMP to Active Directory (during ad import/sync)

Environment

ITMS 7.6, 8.x

Resolution

Answer:

1.    SMP/Agent communication:
       a.    Data received from SMP. Crypto primitives are used to encrypt the data:

  • AES-256
  • SHA-256
  • HMAC SHA-256
  • RSA-2048

    Note: RC4 Ciphers are no longer used since ITMS 7.5 release

       b.    Data sent to SMP (NSEs). The same crypto primitives are used as above.
       c.    Credentials received from SMP. Different keys can be used to encrypt credentials, the legacy key can be 3DES but normally AES-256 is used, and also SHA-256 is used.
2.    SMP/SQL communication:
       a.    Can be encrypted by following Microsoft article ms189067 and the DbEncryptedConnection coresetting.
3.    SMP/Active Directory import and sync:
       a.    We use the 'Secure' flag for AD connection, which is described by Microsoft .NET as "the WinNT provider uses NTLM to authenticate the client. Active Directory Domain                  Services  uses Kerberos, and possibly NTLM, to authenticate the client."