Encryption level information for SMAgent to SMP, SMP to SQL, and SMP to AD

book

Article ID: 150373

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

Question:

What are the levels of encryption we use in the following communication within 7.6 HF7 and later?:

1. Agent to SMP

2. SMP to SQL

3. SMP to Active Directory (during ad import/sync)

Resolution

Answer:

1.    SMP/Agent communication:
       a.    Data received from SMP. Crypto primitives are used to encrypt the data:

  • AES-256
  • SHA-256
  • HMAC SHA-256
  • RSA-2048

    Note: RC4 Ciphers are no longer used since ITMS 7.5 release

       b.    Data sent to SMP (NSEs). The same crypto primitives are used as above.
       c.    Credentials received from SMP. Different keys can be used to encrypt credentials, legacy key can be 3DES but normally AES-256 are used and also SHA-256 is used.
2.    SMP/SQL communication:
       a.    Can be encrypted by following Microsoft article ms189067 and the DbEncryptedConnection coresetting.
3.    SMP/Active Directory import and sync:
       a.    we use 'Secure' flag for AD connection, which is described by Microsoft .NET as "the WinNT provider uses NTLM to authenticate the client. Active Directory Domain Services   uses Kerberos, and possibly NTLM, to authenticate the client."