Can third-party software be installed on Symantec Encryption Management Server?

book

Article ID: 206673

calendar_today

Updated On:

Products

Encryption Management Server Encryption Management Server Powered by PGP Technology PGP Key Management Server PGP Key Mgmt Client Access and CLI API

Issue/Introduction

Symantec Encryption Management Server at the core is a Linux Server based on RHEL.  Although SEMS is Linux on the backend filesystem, it is a highly customized flavor of Linux, which houses all the custom binaries specific to the SEMS including our encryption SDK etc.  Those familiar with RHEL will be able to navigate around, however, there will be noticeable differences that should indicate immediately this is a customized install of Linux.

Symantec Encryption Management Server is considered a locked box which in this context means there is no method to access the backend database or file system w/out adding a Putty Key for proper authentication.  To gain access using a Putty Key, the SEMS Administrator must have the "Super User" role, which is the first account created during the installation process of the server.  Any subsequent Administrators that are added to the system can be designated with different roles, but Super User should be provided to only the most trusted administrators and those who absolutely need this access.  

Super User provides one additional permission: SSH Access.  Although SEMS does not configure a "root" account for login to the backend filesystem, you can gain SSH access to the server via this Super User role and once you do, you will have all the permissions of "root".  Root is able to perform any operation, including installing applications on the SEMS or even modifying its own customized scripts.

Can additional software be installed on the server, or even customized Linux scripts?  

Resolution

Third-party applications could be installed on the server if they are RHEL compliant, however, doing so is not supported.  Installing third-party applications, or using customized scripts outside of written/contractual approvals/agreements is not supported.  Symantec Encryption Management Server is scanned for security and is considered a locked box.  As a result, SEMS is considered a secure device and making changes to the system could introduce security-related issues, therefore installing any third-party software is highly discouraged and is not supported.

Any changes made to the server using the command line must be:

  • Authorized in writing by Broadcom Technical Support or published as an approved and documented process on the Broadcom Knowledge Base.
  • Implemented by a Broadcom Partner contractually, reseller or Broadcom Technical Support.
  • Summarized and documented in a text file in the /var/lib/ovid/customization directory on the Encryption Management Server itself.

 

Outside of the above circumstances, changes to the server should not be made and doing so should be done only after consulting with Symantec Professionals to ensure making any such changes will be stable and supported in your environment.

Contact Symantec Encryption Support to make this request

Additional Information

EPG-23615
ISFR-1797