IBM Sterling Control Center- Security Best Practices

Following are the security best practices to secure the IBM© Sterling Control Center v6.2.1:

• Upgrade to the latest Control Center version to keep up with the security fixes (including JRE security fixes).
• Use CC_java.security file to customize JRE settings instead using the default java.security file. For more information, refer to Customizing properties in the Java Master Security file.
• Do not use the default ‘cacerts’ file as a trust store. For more information, refer to Configuring keystore and truststore files.
• Configure Control Center to run with NIST SP800-131a strict mode to enforce TLS 1.2 for all secure connections.
  • Ensure that all the servers that Control Center connects to using a secure connection can support TLS 1.2 before enabling the strict mode. For more information, refer to Support for National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a.
• Use certificate-based authentication to connect to the Connect:Direct Servers. For more information, refer to Certificate-based Authentication.
• Use TLS 1.2 protocol to connect to the Connect:Direct servers. For more information, refer to Adding a server.
• Connect to the SMTP server with password. For more information, refer to Configuring SMTP settings for email messages.
• Use password policy to enforce strong passwords. For more information, refer to Setting a password policy.
• Periodically change the Control Center users’ passwords. For more information, refer to Changing an IBM Sterling Control Center Monitor password.
• Setup rules to generate alerts for security-related changes such as password change. For more information, refer to Setting up rules.
• Periodically review the audit logs. For more information, refer to Audit Logs.
• Assign the users to the roles with the least required permissions. For more information, refer to Managing roles.
• Container: After creating the required secrets, either delete the input YAML file or change the permission to owner-only access. For more information, refer to Creating secret file.
• Enable authentication for event repository. For more information, refer to Enabling Authentication for Posting Events to the IBM Sterling Control Center Monitor Event Repository.
• Use secure connections to connect to a database server. For more information, refer to Creating a secure connection between the event processor and the database.
• Use a self-defined user key to encrypt passwords with your own key. For more information, refer to Securing the IBM Sterling Control Center Monitor root passphrase with a user key.
• Disable non-secure ports.
• Change the default web UI timeout value to meet your security needs. For more information, refer to Setting timeout value for the IBM Sterling Control Center Monitor web console.
• Configure the SEAS_CIPHER_SUITES system setting to use specific cipher suites for secure connection with SEAS (Sterling External Authentication Server). For more information, refer to engine.properties properties.
• Kerberos based connection can be used to connect to the Oracle database server, if the Oracle server is configured to support Kerberos. For more information, refer to IBM Sterling Control Center support to use Kerberos based authentication with Oracle database server.
• Configure Control Center to use SEAS to enable external authentication for Control Center users. For more information, refer to Setting up external authentication for users.
• Container: Follow your container environment’s (such as OpenShift) security best practices:
  1. OpenShift Security Best Practices for Kubernetes Cluster Design
  2. OpenShift Networking and Cluster Access Best Practices
• Use CA-signed certificates. For more information, refer to Configuring keystore and truststore files.
• For ease of use, particularly when using certificate-based authentication for Connect:Direct in a multi-EP environment, use a common certificate on each EP, with Subject Alternative Name (SAN) defined for each host in the cluster.
• Setup Control Center rules to generate alerts for certificate expiry in advance. For more information, refer to How can I know when my Sterling Connect:Direct Secure Plus certificates are about to expire?.