Information is needed regarding the TLS versions and cipher suites utilized for the connection between the Secure Domain Connector (SDC) and Secure Domain Manager (SDM)

SYMPTOMS:

• Questions regarding TLS 1․2 or 1․3 usage for the SDC to SDM link

• Confusion over ssl_enabled parameter in sdc․rc file

CONTEXT: Security audits require verification of transport encryption protocols and ciphers․

IMPACT: Compliance tracking for secure communication across environments ․

DX NetOps Spectrum: 24.3.x, 25.4.x

The ssl_enabled parameter in the sdc․rc file is primarily used to establish a secure or non-secure gRPC channel between SDM and SDC-NCM on port 14021 ․ It does not dictate the TLS version or ciphers for the main SDC to SDM tunnel

1․ UNDERSTAND SDC AND SDM COMMUNICATION The connection between SDC and SDM relies on the third-party ETPKI library for secure socket communication ․ This library utilizes TLS 1․2 ․ The supported ciphers and their preference order are determined by the ETPKI library and underlying OpenSSL on the client and server during the handshake ․

2․ VERIFY SUPPORTED CIPHER SUITES The ETPKI library supports the following TLS suites:

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

• TLS_AES_128_GCM_SHA256

• TLS_AES_256_GCM_SHA384

3․ CONFIGURE ENCRYPTION WITH CUSTOM CERTIFICATES If you use custom certificates, add the following parameters to the sdc․config file to enable encryption:

-certpassword [password]: Sets the certificate password -certdir [directory]: Specifies the certificate directory

4․ TOGGLE SECURE TCP COMMUNICATION TCP communication between SDC and SDM can be toggled between secure and non-secure using the -nosecure parameter ․

VERIFY SUCCESS:

• SDM and SDC connect successfully using TLS 1․2