search cancel

NetOps Performance Management Architecture Question: TLS

book

Article ID: 241872

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

Application Architecture Question: Does the application use TLS 1.2 or greater to safeguard sensitive data during any network transmissions over all networks through which sensitive information is transmitted?

Does DX NetOps Performance Management use TLSv1.2 or greater for encryption and security?

Environment

All supported DX NetOps Performance Management releases

Resolution

The Note on the first page of the HTTPS configuration docs, the Enable HTTPS topic, partially answers this request. Additional information that may prove useful is as follows.

  • TLSv1.0 and TLSv1.1 (and all SSL*) are disabled by default in jetty on both the Data Aggregator and Portal systems. This is hard coded.
  • TLSv1.2 is the only thing allowed. It is hard coded in NetOps Performance Manager HTTPS code.
  • All versions of TLS lower than 1.2 are disabled by default in the current Java 11 version embedded with NetOps Performance Management.
    • It would require a user intentionally reconfiguring the default Java 11 implementation we install to allow lower TLS versions for those lower versions to function properly.
  • When configured for HTTP, the default, no security is utilized.
  • TLSv1.2 is used for the following when configured.
    • HTTPS: This applies to communications between:
      • Users and Portal web UI
      • Portal and Data Aggregator
      • Data Aggregator and Data Collector
    • LDAPS
    • SMTPS
  • ActiveMQ communication between Data Aggregator and Data Collector utilize TLSv1.2
  • There are no files in the latest NetOps Performance Manager release which provide proof only TLSv1.2 is used.
    • It is hard coded in the softwares proprietary code.
    • The only visual reference available from the installed software is from the embedded Java 11 install.
      • For example from the Portal web server it's in /opt/CA/jre/conf/security/java.security.
      • Within that file is where we see Java 11 having all but TLSv1.2 disabled by default.
  • This information applies to all DX NetOps Performance Management systems capable of HTTPS configuration. This includes:
    • DX NetOps Portal web server
    • DX NetOps Data Aggregator
    • DX NetOps Data Collector(s)

Additional Information

It has been found that activemq.xml files on DA and DC systems show configuration that allows TLS versions lower than 1.2. This is not a concern due to the Java 11 limitations allowing only TLSv1.2. A user would need to manually and intentionally reconfigure Java 11 to allow lower TLS versions for it to become a concern.

Defect DE549057 has been submitted to remove this reference from the activemq.xml files in a future NetOps release.