SSL settings in Internet Service Monitoring
Internet Service Monitoring uses OpenSSL to communicate securely with typically remote internet services using various monitors, for example, the HTTPS monitor communicates with a secured HTTPD. Internet Service Monitoring also uses OpenSSL between the monitors and the Databridge and between the Internet Service Monitoring agent (KIS) and the Databridge. Specify the cipher suite that your application uses in the SSLCipherSuite property.
The Databridge should be configured to securely communicate with the monitors and the Internet Service Monitoring agent, so that every monitor shares a common set of Databridge-related properties to manage secure communication with the Databridge. Some monitors also share a similar, but different set of related properties to manage secure communication with their respective internet services under test.
The following monitors support monitoring of secured internet services:
- HTTPS
- IMAP4
- LDAP
- POP3
- SIP
- SMTP
- SOAP
These monitors use certificates. All certificates are stored in X509 format in Privacy Enhanced Mail .pem files in $ISMHOME/certificates. The certificate for the Databridge is also stored in the same location. For this reason, the following properties are shared by all monitors, the Databridge, and the Internet Service Monitoring agent:
- SSLTrustStore (Default: $ISMHOME/certificates/trust.pem)
- SSLTrustStorePath (Default: $ISMHOME/certificates/)
As all communication between monitors and the Databridge, and between selected monitors and their secured internet services are built on the same version of OpenSSL, they share characteristics. For example, the highest level of security Internet Service Monitoring can provide is a function of the highest level provided by the underlying OpenSSL. The lowest level of security provided is similarly dependent on the underlying OpenSSL.
If Internet Service Monitoring is updated, and that update includes an update to the underlying OpenSSL, the internet services being monitored could be impacted. For example:
- HTTPS monitor in Internet Service Monitoring V7.x.1 is monitoring a secured HTTPD server.
- You apply a new version of Internet Service Monitoring which contains an updated version of OpenSSL, which means the HTTPS monitor is now V7.x.2.
- You notice that the HTTPS monitor is now failing to monitor the secured HTTPD.
Here, the security level of the HTTPD server is less than the minimum supported by the newly updated Internet Service Monitoring V7.x.2. Even though the configuration of the HTTPS monitor has not changed, its behavior has, because it is dependent on the underlying OpenSSL layer. The newer Internet Service Monitoring/HTTPS Monitor/OpenSSL combination is more secure than the old combination, and you now you need to raise the security level of the remote HTTPD server.
Monitoring secured internet services presents you with a dilemma. Should the security level of Internet Service Monitoring be so low that it can monitor weakly protected internet services; or should it be as high as the minimum currently recommended settings? If the former is selected, then a weakened Internet Service Monitoring could compromise security, possibly at both ends.
The same version of OpenSSL is used by all monitors. All of these monitors share a common set of monitor properties for configuring the underlying OpenSSL, which are described in the following table.
Property name | Property parameter | Command-line option | Description |
---|---|---|---|
SSLCipherSuite | string | -sslciphersuite | Specifies the cipher suites to use for SSL operations between the monitor and the internet
service being monitored. Values for this property should be in the form recommended by
OpenSSL. Default: AES:3DES:DES:!EXP:!DHE:!EDH |
SSLDisableSSLv2 | 0|1 | -ssldisablesslv2 | Determines which type of secure connection to make when monitoring a secured internet service.
Default: 1 (SSLv2 NOT allowed). |
SSLDisableSSLv3 | 0|1 | -ssldisablesslv3 | Determines which type of secure connection to make when monitoring a secured internet service.
Default: 1 (SSLv3 NOT allowed). |
SSLDisableTLS | 0|1 | -ssldisabletls | Determines which type of secure connection to make when monitoring a secured internet service.
Default: 0 (TLSv1.0 is allowed). |
SSLDisableTLS11 | 0|1 | -ssldisabletls11 | Determines which type of secure connection to make when monitoring a secured internet service.
Default: 0 (TLSv1.1 is allowed). |
SSLDisableTLS12 | 0|1 | -ssldisabletls12 | Determines which type of secure connection to make when monitoring a secured internet service.
Default: 0 (TLSv1.2 is allowed). |
SSLCertificateFile | string | -sslcertificatefile | The path and filename of the public digital certificate file used by the monitor. When a
monitor attempts to set up a secured connection to an internet service, the latter may optionally
request that the monitor provide its client side certificate, allowing the internet service to
verify the monitor or client (client side certificate verification). The certificate must be in Privacy Enhanced Mail (PEM) format. For the HTTPS monitor, this value can be specified for each HTTPS element at creation time. However, if the HTTPS monitor is going to use the same certificate for all elements, the value in the HTTPS.props file is used. For IMAP, LDAP, POP3, SIP, SMTP and SOAP monitors, the value is set monitor wide. If the path is not absolute, the monitor interprets it relative to the working directory, $ISMHOME/certificates. Default: “” |
SSLKeyFile | string | -sslkeyfile | The path and filename of the file containing the private key used by the monitor. The monitor
uses this file to encrypt messages it sends to others. The receivers use the monitor’s public
digital certificate to decrypt the message. Default: monitoryKey.pem |
SSLKeyPassword | string | -sslkeypassword | The password used to encrypt the SSL private key. Default: “” |
SSLTrustStoreFile | string | -ssltruststorefile | The fully qualified name of the file that stores all the X509 public certificates of the
internet services that are being monitored, as a concatenated list. Revoked certificates (CRLs) are also stored here as a concatenated list. The Databridge can also store its public certificate here. This property appears in the bridge.props file. Certificates are stored in Privacy Enhanced Mail (PEM) format. Convert certificates obtained in other formats to PEM format using OpenSSL software available from http://www.openssl.org. Default: “$ISMHOME/certificates/trust.pem” |
SSLTrustStorePath | string | -ssltruststorepath | The location of the .pem files containing the X509 certificates of the
secure internet service being monitored. Revoked certificates (CRLs) are also stored here. The Databridge can also store its public certificate here. This property appears in the bridge.props file. If new certificates are added to this directory, run the openssl rehash command to scan the directory and calculate a hash for each certificate. If both SSLTrustStoreFile and SSLTrustStorePath properties are used, OpenSSL uses both properties to locate trusted certificates. Default: “$ISMHOME/certificates/” |
|
0|1 |
|
Enables or Disables the verification of the certificate provided by the internet service
being monitored against the certificate revocation list (CRL). Default: 0 - disabled |
Cipher suites
The cipher suites available to the Internet Service Monitoring are a subset of those allowed by OpenSSL. The set of cipher suites allowed by OpenSSL changes over time. As new vulnerabilities are discovered and best practices evolve, access to specific or general types of cipher suites may be restricted or removed entirely by OpenSSL. As these later versions of OpenSSL are included in later versions of the ISM, there is a flow on effect which may impact the configuration and operation of the monitors.
Use the SSLCipherSuite monitor-wide property to specify the cipher suites allowed by a monitor from all the ciphers suites available using keywords. To specify multiple suites, use a colon separated list of keywords. For example, the default SSLCipherSuite property is AES:3DES:DES:!EXP:!DHE:!EDH. This selection means that cipher suites that include AES, 3DES, and DES are allowed, but excludes any cipher suites that use EXP (Export (short key lengths)), DHE (Diffie Hellman Exchange), or EDH (Ephemeral Diffie Hellman) key exchanges. Additionally, when the secure connection is made between the monitor and the internet service, AES is used first, followed by 3DES, then DES if necessary. The syntax for the cipher suite lists for Internet Service Monitoring are the same as for OpenSSL.
To pick the correct set of cipher suites for a monitor, consider what the underlying OpenSSL supports, the range of ciphers that the internet service being monitored supports, and the security standards of your organization. You may not be able to monitor a secure external site that has a level of security below that which Internet Service Monitoring or OpenSSL will tolerate. In some cases, a monitor that was once able to monitor an internet service, may fail after upgrading Internet Service Monitoring because the security levels are incompatible.
The following table lists a subset of cipher suites equivalent to the default value for SSLCiperSuite of AES:3DES:DES:!EXP:!DHE:!EDH with their properties. In the table, you will see the following terms:
- Cipher Suite Name - describes the cipher suite used using a name constructed from keywords.
- Protocol - describes the version of the protocol supported.
- Key Exchange - describes the key exchange system used for encryption and decryption.
- Encryption & Key Length - describes the type of encryption algorithm used and the length of the key (in bits) used.
- MAC - describes the Message Authentication Code used to ensure that the data has not been tampered with.
Cipher Suite Name | Protocol | Key Exchange | Authentication | Encryption & Key Length | Message Authentication Code |
---|---|---|---|---|---|
ECDHE-RSA-AES256-GCM-SHA384 | TLSv1.2 | ECDH | RSA | AESGCM(256) | AEAD |
ECDHE-ECDSA-AES256-GCM-SHA384 | TLSv1.2 | ECDH | ECDSA | AESGCM(256) | AEAD |
ECDHE-RSA-AES256-SHA384 | TLSv1.2 | ECDH | RSA | AES(256) | SHA384 |
ECDHE-ECDSA-AES256-SHA384 | TLSv1.2 | ECDH | ECDSA | AES(256) | SHA384 |
ECDHE-RSA-AES256-SHA | SSLv3 | ECDH | RSA | AES(256) | SHA1 |
ECDHE-ECDSA-AES256-SHA | SSLv3 | ECDH | ECDSA | AES(256) | SHA1 |
SRP-DSS-AES-256-CBC-SHA | SSLv3 | SRP | DSS | AES(256) | SHA1 |
SRP-RSA-AES-256-CBC-SHA | SSLv3 | SRP | RSA | AES(256) | SHA1 |
SRP-AES-256-CBC-SHA | SSLv3 | SRP | SRP | AES(256) | SHA1 |
DH-DSS-AES256-GCM-SHA384 | TLSv1.2 | DH/DSS | DH | AESGCM(256) | AEAD |
…followed by 61 more rows |
The following table lists a subset of cipher suites equivalent to the value for SSLCiperSuite of AES:3DES:DES:!EXP:!DHE:!EDH:!SSLv2:!SSLv3 with their properties. Some protocols are now eliminated and the overall set of cipher suites has been reduced from 71 to 31.
Cipher Suite Name | Protocol | Key Exchange | Authentication | Encryption & Key Length | Message Authentication Code |
---|---|---|---|---|---|
ECDHE-ECDSA-AES256-GCM-SHA384 | TLSv1.2 | ECDH | ECDSA | AESGCM(256) | AEAD |
ECDHE-RSA-AES256-SHA384 | TLSv1.2 | ECDH | RSA | AES(256) | SHA384 |
ECDHE-ECDSA-AES256-SHA384 | TLSv1.2 | ECDH | ECDSA | AES(256) | SHA384 |
DH-DSS-AES256-GCM-SHA384 | TLSv1.2 | DH/DSS | DH | AESGCM(256) | AEAD |
DH-RSA-AES256-GCM-SHA384 | TLSv1.2 | DH/RSA | DH | AESGCM(256) | AEAD |
DH-RSA-AES256-SHA256 | TLSv1.2 | DH/RSA | DH | AES(256) | SHA256 |
DH-DSS-AES256-SHA256 | TLSv1.2 | DH/DSS | DH | AES(256) | SHA256 |
ADH-AES256-GCM-SHA384 | TLSv1.2 | DH | None | AESGCM(256) | AEAD |
ADH-AES256-SHA256 | TLSv1.2 | DH | None | AES(256) | SHA256 |
ECDH-RSA-AES256-GCM-SHA384 | TLSv1.2 | ECDH/RSA | ECDH | AESGCM(256) | AEAD |
…followed by 21 more rows |
Reducing vulnerability
In future releases, the DHE and EDH ciphers will be disabled by default because of vulnerabilities. For previous versions of Internet Service Monitoring, you may need to disable the DHE and EDH ciphers in all monitors. To disable the DHE and EDH ciphers, update the SSLCipherSuite and BridgeSSLCipherSet monitor properties.
SSLCipherSuite: AES:3DES:DES:!DES-CBC-SHA:!EXP:!DHE:!EDH
BridgeSSLCipherSet: AES:3DES:DES:!DES-CBC-SHA:!EXP:!DHE:!EDH
Ensure
that you verify that this configuration change does not cause any compatibility issues. If you
change the default setting after applying this fix, you may expose yourself to a security
vulnerability. You should review your entire environment to identify other areas where you have
enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and
remediation actions.Protocol selection
You can select from a range of historic and current secure communication protocols. They can be individually selected using a set of boolean monitor properties:
- SSLDisableSSLv2
- SSLDisableSSLv3
- SSLDisableTLS
- SSLDisableTLS11
- SSLDisableTLS12
- BridgeSSLDisableSSLv2
- BridgeSSLDisableSSLv3
You should disable SSLv2 and SSLv3. These protocols have been compromised and have several known vulnerabilities. They are disabled by default and are only provided for legacy purposes.
Internet Service Monitoringenables TLS by default. If you know that the internet services you are monitoring are not using TLS 1.0 and have already uplifted to TLS 1.1 or TLS 1.2, you should disable the unused protocols in Internet Service Monitoring.
The Databridge component communicates with the Internet Service Monitoringagent and with each of the monitors. By default, this communication is encrypted and TLS is the preferred protocol.
Key trust stores and certificates
Internet Service Monitoring stores its certificates in a user-defined file in a user-defined location. All certificates must be stored in Privacy Enhanced Mail (PEM) format. Ensure that public certificates obtained from other organizations are converted to PEM format. Conversion software is available at http://www.openssl.org.
Trusted certificates specified using the SSLTrustStoreFile property are stored in the file as a concatenated list.
It is good practice to store Certificate Revocation Lists (CRLs) in the trust store, against which certificates can be validated. Certificate Authorities have systems in place to generate lists of revoked certificates and have distribution systems in place to make them publically available. Then if a certificate is compromised, it will be revoked.
Databridge security settings
All monitors communicate with the Databridge, so all monitors have a common set of properties that should be set to manage communication between the monitors and the Databridge. By default, communication is encrypted. The default encryption protocol is TLS. Unlike monitor properties, there is no mechanism to control if a particular version of TLS is enabled or disabled. All the monitors should have the same values for the Databridge properties, otherwise there will be communication issues. Similarly, the properties set in the Databridge .props file should be consistent with those in the monitors. The Databridge also communicates with the Internet Service Monitoring agent which has its own .props file. Some of the values in the agent .props are Databridge-related and like monitors, must have values that are consistent with those in the Databridge .props file.
Property name | Property parameter | Command-line option | Description |
---|---|---|---|
BridgeSSLEncryption | 0|1 | -bridgesslencryption | Determines whether communication with the Databridge is encrypted or not. This covers all
communication from Databridge to Monitors and Internet Service Monitoring agent.
Restriction: Set the same value on the Internet Service Monitoring agent, all monitors, and the
Databridge.
|
BridgeSSLCipherSet | string | -bridgesslcipherset | Specifies the cipher suites to use for SSL operations to and from the Databridge. Values for
this property should be in the form recommended by OpenSSL. Restriction: Set the same
value on the Internet Service Monitoring agent, all monitors,
and the Databridge.
Default: AES:3DES:DES:!EXP:!DHE:!EDH |
BridgeSSLDisableSSLv2 | 0|1 | -bridgesslcipherset | Determines which type of secure connection to make to and from the Databridge.
Restriction: Set the same value on the Internet Service Monitoring agent, all monitors, and the
Databridge.
Default: 1 (SSLv2 NOT allowed). |
BridgeSSLDisableSSLv3 | 0|1 | -bridgessldisablesslv3 | Determines which type of secure connection to make to and from the Databridge.
Restriction: Set the same value on the Internet Service Monitoring agent, all monitors, and the
Databridge.
Default: 1 (SSLv3 NOT allowed). |
BridgeSSLCertificateFile | string | -bridgesslcertificatefile | The path and filename of the digital Databridge SSL certificate. Default: $ISMHOME/certificates/bridgeCert.pem |
BridgeSSLKeyFile | string | -bridgesslkeyfile | The path and filename of the Databridge SSL private key file. Default: $ISMHOME/certificates/bridgeKey.pem |
BridgeSSLKeyPassword | string | -bridgesslkeypassword | The password used to encrypt the Databridge SSL private key. Default: Tivoli |
BridgeSSLTrustStore | string | -bridgessltruststore | The path and file name of the Trusted certificate file for authentication. This is only required when using the BridgeSSLAuthenticatePeer property. Default: $ISMHOME/certificates/trust.pem If you want to configure SSL authentication between a monitor and Databridge, or between the Databridge and the agent, set BridgeSSLAuthenticatePeer to 1 and restart the Databridge. This action authenticates the certificates from the server. You can store certificates in both the SSLTrustStoreFile and the SSLTrustStorePath. Defaults:
To add new certificates, complete one of the following steps:
|
SSLTrustStoreFile | string | -ssltruststorefile | This property is used by secure monitors and the Databridge. See Table 1 for more information. |
SSLTrustStorePath | string | -ssltruststorepath | This property is used by secure monitors and the Databridge. See Table 1 for more information. |
BridgeSSLAuthenticatePeer | 0|1 | -bridgesslauthenticatepeer | Specifies whether the Databridge should cross-authenticate with other Internet Service Monitoring components.
If a monitor contacts the Databridge, it must authenticate with the Databridge, and the Databridge must authenticate with the monitor. If the Internet Service Monitoringagent contacts the Databridge, it must authenticate with the Databridge, and the Databridge must authenticate with the agent. Certificates for the Databridge are stored in the BridgeSSLTrustStore. Default: 0 - disabled |
Internet Service Monitoring agent properties
The Internet Service Monitoring agent has its own properties file which contains a set of security properties and settings. The agent properties file does not communicate with the monitors, but it does communicate with the Databridge, so the security settings in the agent's .props file manage communication between the agent and the Databridge.