How to encrypt Harvest data

book

Article ID: 134271

calendar_today

Updated On:

Products

CA Harvest Software Change Manager CA Harvest Software Change Manager - OpenMake Meister

Issue/Introduction

We do need to ensure 

1) password complexity standards are adhered to, and 

2) idle Oracle database connections are terminated, which means that Harvest will need to detect that the connection has been terminated and re-establish it, and 

3) all data in transit must by encrypted. 

Cause

Data security requirements demand it

Environment

Release : 13.0.3

Component : CA HARVEST SCM CORE FUNCTIONALITY/PROCESS AUTOMATION

Resolution

Requirement #1 - Password complexity

Password complexity for LDAP-authenticated users is controlled by LDAP. 

For internally authenticated users, the password complexity can be set from the command line utilities, hppolget and hppolset . Hppolget gets the existing default password configuration file. Any complexity can be introduced into this policy and then the policy can be set using hppolset command line formulation.For more details on how to run these utilities, please refer to the below command line utilities docops link. 

hppolget link: https://docops.ca.com/ca-harvest-scm/13-0/en/command-reference/get-started-with-ca-harvest-scm-commands/hppolget-command-get-password-policy 

hppolset link: https://docops.ca.com/ca-harvest-scm/13-0/en/command-reference/get-started-with-ca-harvest-scm-commands/hppolset-command-set-password-policy 


Requirement # 2 - Idle database connections terminated:

There is no provision to determine the idle database connections on Oracle but there is a provision to determine idle server from harvest side and kill it. Idle hservers can be detected and can be set to shutdown after a pre-determined time line. We can use -killperiod to shutdown the idle servers over a period of configured timeline. You can use the -killperiod option to set the server idle time limit (the period of inactivity after which the broker shuts down “temporary” servers.For more details ,please refer to the below link

https://docops.ca.com/ca-harvest-scm/13-0/en/installing/configure-ca-harvest-scm/configure-broker-and-server-communication/configure-the-broker-and-server-communication-on-windows

Topic : How the Broker Manages Server Processes on Windows


Requirement #3 - all data in transit must be encrypted:

Existing Harvest Encryption enablement methods include:

  • FIPS Mode can be enabled for the SCM Server and the SCM Agent to encrypt data passed between the SCM Server (broker/hserver), the agent and the client components (workbench, etc) (There is a known issue related to this in the Release notes: https://docops.ca.com/ca-harvest-scm/13-0/en/release-notes/known-issues#KnownIssues-LoginFailsforaFIPS-EnabledBrokerfromaComputerWithCASSA) 
  • CAPKI - This utility encrypts username and password when passing between clients (like Workbench) and the broker/hserver/agent
  • SSL and TLS can be used to further encrypt information passing between HServer and the LDAP server for userid/password authentication 
  • Encryption between Oracle/SQL Server database and SCM Broker/HServer is possible at the ODBC level. This encrypts the data between database and the server
  • Encryption between SCM Client, Agent and Server can be accomplished using a setting in the Rtclient.cm file called “Use_Encrypt_Server”. Initial testing shows that Harvest can work with this setting turned on, but extensive testing has not been done to evaluate the effect this would have on performance (response time for normal operations in Workbench, time to complete a check in or check out, etc)
  • With Harweb, HTTPS can be used to encrypt communication across the network between the Harweb server and the browser on the client machines.

Oracle database encryption on Windows:

If the server is on windows platform ,you may refer to the article below.

https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=16934


Oracle database encryption on Non-windows:

This is possible on Non -windows using the below specified methods

[c]The encryption methods available in datadirect odbc drivers are applicable here

We can add EncryptionMethod=X in the odbc.ini file

X can be of levels 1,2,3,4 and 5

Valid Values 0 | 1 | 3 | 4 | 5

If set to 0 (No Encryption), data is not encrypted.

If set to 1 (SSL), data is encrypted using SSL. If the server supports protocol negotiation, the driver and server negotiate the use of TLS v1, SSL v3, or SSL v2 in that order.

If set to 3 (SSL3), the driver uses SSL3 data encryption.

If set to 4 (SSL2), the driver uses SSL2 data encryption.

If set to 5 (TLS1), the driver uses TLS1 data encryption.

Default 0 (No Encryption)


The CAPKI option is automatic, the rest must be enabled and configured according to your needs.

Additional Information

Further details on the TLS versions supported by the DataDirect for ODBC driver:
TLS versions supported for encryption between Harvest and Oracle