Harvest Database STIG Questions
search cancel

Harvest Database STIG Questions

book

Article ID: 248478

calendar_today

Updated On:

Products

CA Harvest Software Change Manager CA Harvest Software Change Manager - OpenMake Meister

Issue/Introduction

We request answers to some questions about how the Harvest database handles STIG (Security Technical Implementation Guide) security concerns.

Environment

Harvest Software Change Manager v13.0.3 and higher

Resolution

Does the database contain any PII, sensitive or classified information?

PII (personally identifiable information) can be saved in the Harvest database for each user as provided by the Harvest Administrator (for internally authenticated users) or by the LDAP server (for externally authenticated users).  Information could include the user's first and last name, phone number, email address, and userid.  These data fields (except for userid) are optional.  For internally authenticated users, the password is also stored in the Harvest database using a proprietary encryption algoriithm that cannot be easily decrypted. 

If any of the files checked into Harvest contain PII, sensitivie, or classified information, this is also stored in the Harvest database.  Harvest does not provide a way to identify PII, sensitive or classified information within the contents of files checked in.
What Oracle Components are required by the Harvest app?

The currently installed app are:
COMP_ID              COMP_NAME
-------------------- ------------------------------
JAVAVM               JServer JAVA Virtual Machine
APS                       OLAP Analytic Workspace
APEX                    Oracle Application Express
CATJAVA             Oracle Database Java Packages
DV                        Oracle Database Vault
OLS                      Oracle Label Security
ORDIM                Oracle Multimedia
XOQ                     Oracle OLAP API
CONTEXT            Oracle Text
XML                     Oracle XDK
SDO                     Spatial		 Harvest installs its own JRE within the application root folder (Ex: C:\Program Files\CA\SCM\jre). No additional JAVAVM is required.

To configure harvest server - Oracle server and client are required
On the machine where harvest server is installed, at the minimum oracle client is required to configure harvest server. Oracle server can exist on a remote machine. Oracle server and client can also exist on the same machine where harvest server is installed

Other components mentioned here are not required.  
Can any of the following Oracle integrated components, which cannot be removed,  be disabled?

Partitioning
OLAP
Real Application Testing
Data Mining		 Harvest doesn't use any of these integrated components
Does the application store the HARVESTDBA password in clear text anywhere?   No - Harvest only saves HARVEST schema password in an encrypted password file (using CA's proprietary encryption method)
Has a client-side Oracle Wallet set up on the client? Harvest doesn't use wallet
Does the application generate any error messages/logs that contain PII data, sensitive business data, or information useful for identifying the host system?
-- The application should be configured so that it does not divulge such information.

Log files contain hostnames and port numbers of hserver, broker, and client machines, as well as userids of users logging in.

Depending on the logging level configured, and the activity being captured, additional sensitive data might appear in the log files as well.  For example, if the HServer logging level is set to "-logging=5", the data returned by SQL queries is recorded in the log file.  

Broker log files list the names of the client computers from where connections are initiated to the harvest server.
This is logged for every client connection.

Additionally, hgetusg(Command line) lists the client hostnames of the users logged in. Note that this command can be executed by only Harvest Admins.
How does the Harvest application connect to the broker?  Harvest clients connect to Harvest Server using a TCP connection.
For all metadata requests all Harvest clients  use a single port on the server. But, for the file content  exchange we use separate connections called "direct connections" (with a specific port range that is configured in the configuration file).                                   
 And how does the broker connect to the database?  Broker connects to the database using ODBC Drivers.
Username and password is saved in a an encrypted file (using CA's propritary encryption techniques).
This encrypted file is saved within Harvest application folder.
Is the password set up in a configuration file that is created on the application/broker server when the software is installed and initially connects to the database?

 During installation and initial connection to the Harvest database, the userid and password are placed in an encrypted password file.  These credentials are never stored in plain-text.

svrenc - encryption utility is used to encrypt DB schema password. Whenever this utility is re-run the encrypted password file is re-generated.

Additional Information

More information on the Harvest log files is found here: Location of the Harvest log files

More information on installing Harvest is found here: Install CA Harvest SCM

More information on the svrenc password encryption utility is found here: svrenc Command-Encrypt User and Password Credentials to a File

Powered by Wolken Software