SSL settings in Internet Service Monitoring

Internet Service Monitoring uses OpenSSL to communicate securely with typically remote internet services using various monitors, for example, the HTTPS monitor communicates with a secured HTTPD. Internet Service Monitoring also uses OpenSSL between the monitors and the Databridge and between the Internet Service Monitoring agent (KIS) and the Databridge. Specify the cipher suite that your application uses in the SSLCipherSuite property.

The Databridge should be configured to securely communicate with the monitors and the Internet Service Monitoring agent, so that every monitor shares a common set of Databridge-related properties to manage secure communication with the Databridge. Some monitors also share a similar, but different set of related properties to manage secure communication with their respective internet services under test.

The following monitors support monitoring of secured internet services:

  • HTTPS
  • IMAP4
  • LDAP
  • POP3
  • SIP
  • SMTP
  • SOAP

These monitors use certificates. All certificates are stored in X509 format in Privacy Enhanced Mail .pem files in $ISMHOME/certificates. The certificate for the Databridge is also stored in the same location. For this reason, the following properties are shared by all monitors, the Databridge, and the Internet Service Monitoring agent:

  • SSLTrustStore (Default: $ISMHOME/certificates/trust.pem)
  • SSLTrustStorePath (Default: $ISMHOME/certificates/)

As all communication between monitors and the Databridge, and between selected monitors and their secured internet services are built on the same version of OpenSSL, they share characteristics. For example, the highest level of security Internet Service Monitoring can provide is a function of the highest level provided by the underlying OpenSSL. The lowest level of security provided is similarly dependent on the underlying OpenSSL.

If Internet Service Monitoring is updated, and that update includes an update to the underlying OpenSSL, the internet services being monitored could be impacted. For example:

  1. HTTPS monitor in Internet Service Monitoring V7.x.1 is monitoring a secured HTTPD server.
  2. You apply a new version of Internet Service Monitoring which contains an updated version of OpenSSL, which means the HTTPS monitor is now V7.x.2.
  3. You notice that the HTTPS monitor is now failing to monitor the secured HTTPD.

Here, the security level of the HTTPD server is less than the minimum supported by the newly updated Internet Service Monitoring V7.x.2. Even though the configuration of the HTTPS monitor has not changed, its behavior has, because it is dependent on the underlying OpenSSL layer. The newer Internet Service Monitoring/HTTPS Monitor/OpenSSL combination is more secure than the old combination, and you now you need to raise the security level of the remote HTTPD server.

Monitoring secured internet services presents you with a dilemma. Should the security level of Internet Service Monitoring be so low that it can monitor weakly protected internet services; or should it be as high as the minimum currently recommended settings? If the former is selected, then a weakened Internet Service Monitoring could compromise security, possibly at both ends.

The same version of OpenSSL is used by all monitors. All of these monitors share a common set of monitor properties for configuring the underlying OpenSSL, which are described in the following table.

Table 1. OpenSSL related monitor properties and command-line options
Property name Property parameter Command-line option Description
SSLCipherSuite string -sslciphersuite Specifies the cipher suites to use for SSL operations between the monitor and the internet service being monitored. Values for this property should be in the form recommended by OpenSSL.

Default: AES:3DES:DES:!EXP:!DHE:!EDH
SSLDisableSSLv2 0|1 -ssldisablesslv2 Determines which type of secure connection to make when monitoring a secured internet service.
  • 0 – SSLv2 is allowed
  • 1 – SSLv2 is NOT allowed

Default: 1 (SSLv2 NOT allowed).
SSLDisableSSLv3 0|1 -ssldisablesslv3 Determines which type of secure connection to make when monitoring a secured internet service.
  • 0 – SSLv3 is allowed
  • 1 – SSLv3 is NOT allowed

Default: 1 (SSLv3 NOT allowed).
SSLDisableTLS 0|1 -ssldisabletls Determines which type of secure connection to make when monitoring a secured internet service.
  • 0 – TLSv1.0 is allowed
  • 1 – TLSv1.0 is NOT allowed

Default: 0 (TLSv1.0 is allowed).
SSLDisableTLS11 0|1 -ssldisabletls11 Determines which type of secure connection to make when monitoring a secured internet service.
  • 0 – TLSv1.1 is allowed
  • 1 – TLSv1.1 is NOT allowed

Default: 0 (TLSv1.1 is allowed).
SSLDisableTLS12 0|1 -ssldisabletls12 Determines which type of secure connection to make when monitoring a secured internet service.
  • 0 – TLSv1.2 is allowed
  • 1 – TLSv1.2 is NOT allowed

Default: 0 (TLSv1.2 is allowed).
SSLCertificateFile string -sslcertificatefile The path and filename of the public digital certificate file used by the monitor. When a monitor attempts to set up a secured connection to an internet service, the latter may optionally request that the monitor provide its client side certificate, allowing the internet service to verify the monitor or client (client side certificate verification).

The certificate must be in Privacy Enhanced Mail (PEM) format.

For the HTTPS monitor, this value can be specified for each HTTPS element at creation time. However, if the HTTPS monitor is going to use the same certificate for all elements, the value in the HTTPS.props file is used.

For IMAP, LDAP, POP3, SIP, SMTP and SOAP monitors, the value is set monitor wide.

If the path is not absolute, the monitor interprets it relative to the working directory, $ISMHOME/certificates.

Default: “”
SSLKeyFile string -sslkeyfile The path and filename of the file containing the private key used by the monitor. The monitor uses this file to encrypt messages it sends to others. The receivers use the monitor’s public digital certificate to decrypt the message.

Default: monitoryKey.pem
SSLKeyPassword string -sslkeypassword

The password used to encrypt the SSL private key.

Default: “”
SSLTrustStoreFile string -ssltruststorefile The fully qualified name of the file that stores all the X509 public certificates of the internet services that are being monitored, as a concatenated list.

Revoked certificates (CRLs) are also stored here as a concatenated list.

The Databridge can also store its public certificate here. This property appears in the bridge.props file.

Certificates are stored in Privacy Enhanced Mail (PEM) format. Convert certificates obtained in other formats to PEM format using OpenSSL software available from http://www.openssl.org.

Default: “$ISMHOME/certificates/trust.pem”
SSLTrustStorePath string -ssltruststorepath The location of the .pem files containing the X509 certificates of the secure internet service being monitored.

Revoked certificates (CRLs) are also stored here.

The Databridge can also store its public certificate here. This property appears in the bridge.props file.

If new certificates are added to this directory, run the openssl rehash command to scan the directory and calculate a hash for each certificate.

If both SSLTrustStoreFile and SSLTrustStorePath properties are used, OpenSSL uses both properties to locate trusted certificates.

Default: “$ISMHOME/certificates/”

 
VerifyCertificate
Preference
 0|1 
-verifycertificate
preference
 Enables or Disables the verification of the certificate provided by the internet service being monitored against the certificate revocation list (CRL).

Default: 0 - disabled

Cipher suites

The cipher suites available to the Internet Service Monitoring are a subset of those allowed by OpenSSL. The set of cipher suites allowed by OpenSSL changes over time. As new vulnerabilities are discovered and best practices evolve, access to specific or general types of cipher suites may be restricted or removed entirely by OpenSSL. As these later versions of OpenSSL are included in later versions of the ISM, there is a flow on effect which may impact the configuration and operation of the monitors.

Use the SSLCipherSuite monitor-wide property to specify the cipher suites allowed by a monitor from all the ciphers suites available using keywords. To specify multiple suites, use a colon separated list of keywords. For example, the default SSLCipherSuite property is AES:3DES:DES:!EXP:!DHE:!EDH. This selection means that cipher suites that include AES, 3DES, and DES are allowed, but excludes any cipher suites that use EXP (Export (short key lengths)), DHE (Diffie Hellman Exchange), or EDH (Ephemeral Diffie Hellman) key exchanges. Additionally, when the secure connection is made between the monitor and the internet service, AES is used first, followed by 3DES, then DES if necessary. The syntax for the cipher suite lists for Internet Service Monitoring are the same as for OpenSSL.

To pick the correct set of cipher suites for a monitor, consider what the underlying OpenSSL supports, the range of ciphers that the internet service being monitored supports, and the security standards of your organization. You may not be able to monitor a secure external site that has a level of security below that which Internet Service Monitoring or OpenSSL will tolerate. In some cases, a monitor that was once able to monitor an internet service, may fail after upgrading Internet Service Monitoring because the security levels are incompatible.

The following table lists a subset of cipher suites equivalent to the default value for SSLCiperSuite of AES:3DES:DES:!EXP:!DHE:!EDH with their properties. In the table, you will see the following terms:

  • Cipher Suite Name - describes the cipher suite used using a name constructed from keywords.
  • Protocol - describes the version of the protocol supported.
  • Key Exchange - describes the key exchange system used for encryption and decryption.
  • Encryption & Key Length - describes the type of encryption algorithm used and the length of the key (in bits) used.
  • MAC - describes the Message Authentication Code used to ensure that the data has not been tampered with.
Table 2. Cipher suite name and property values AES:3DES:DES:!EXP:!DHE:!EDH
Cipher Suite Name Protocol Key Exchange Authentication Encryption & Key Length Message Authentication Code
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH RSA AESGCM(256) AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 ECDH ECDSA AESGCM(256) AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH RSA AES(256) SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 ECDH ECDSA AES(256) SHA384
ECDHE-RSA-AES256-SHA SSLv3 ECDH RSA AES(256) SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 ECDH ECDSA AES(256) SHA1
SRP-DSS-AES-256-CBC-SHA SSLv3 SRP DSS AES(256) SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 SRP RSA AES(256) SHA1
SRP-AES-256-CBC-SHA SSLv3 SRP SRP AES(256) SHA1
DH-DSS-AES256-GCM-SHA384 TLSv1.2 DH/DSS DH AESGCM(256) AEAD
…followed by 61 more rows

The following table lists a subset of cipher suites equivalent to the value for SSLCiperSuite of AES:3DES:DES:!EXP:!DHE:!EDH:!SSLv2:!SSLv3 with their properties. Some protocols are now eliminated and the overall set of cipher suites has been reduced from 71 to 31.

Table 3. Cipher suite name and property values AES:3DES:DES:!EXP:!DHE:!EDH:!SSLv2:!SSLv3
Cipher Suite Name Protocol Key Exchange Authentication Encryption & Key Length Message Authentication Code
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 ECDH ECDSA AESGCM(256) AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH RSA AES(256) SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 ECDH ECDSA AES(256) SHA384
DH-DSS-AES256-GCM-SHA384 TLSv1.2 DH/DSS DH AESGCM(256) AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 DH/RSA DH AESGCM(256) AEAD
DH-RSA-AES256-SHA256 TLSv1.2 DH/RSA DH AES(256) SHA256
DH-DSS-AES256-SHA256 TLSv1.2 DH/DSS DH AES(256) SHA256
ADH-AES256-GCM-SHA384 TLSv1.2 DH None AESGCM(256) AEAD
ADH-AES256-SHA256 TLSv1.2 DH None AES(256) SHA256
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH/RSA ECDH AESGCM(256) AEAD
…followed by 21 more rows

Reducing vulnerability

In future releases, the DHE and EDH ciphers will be disabled by default because of vulnerabilities. For previous versions of Internet Service Monitoring, you may need to disable the DHE and EDH ciphers in all monitors. To disable the DHE and EDH ciphers, update the SSLCipherSuite and BridgeSSLCipherSet monitor properties.

For example, to disable DHE and EDH ciphers in the HTTPS monitor, update the https.props file to include the following properties: 
SSLCipherSuite: AES:3DES:DES:!DES-CBC-SHA:!EXP:!DHE:!EDH  
BridgeSSLCipherSet: AES:3DES:DES:!DES-CBC-SHA:!EXP:!DHE:!EDH
Ensure that you verify that this configuration change does not cause any compatibility issues. If you change the default setting after applying this fix, you may expose yourself to a security vulnerability. You should review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions.

Protocol selection

You can select from a range of historic and current secure communication protocols. They can be individually selected using a set of boolean monitor properties:

  • SSLDisableSSLv2
  • SSLDisableSSLv3
  • SSLDisableTLS
  • SSLDisableTLS11
  • SSLDisableTLS12
  • BridgeSSLDisableSSLv2
  • BridgeSSLDisableSSLv3

You should disable SSLv2 and SSLv3. These protocols have been compromised and have several known vulnerabilities. They are disabled by default and are only provided for legacy purposes.

Internet Service Monitoringenables TLS by default. If you know that the internet services you are monitoring are not using TLS 1.0 and have already uplifted to TLS 1.1 or TLS 1.2, you should disable the unused protocols in Internet Service Monitoring.

The Databridge component communicates with the Internet Service Monitoringagent and with each of the monitors. By default, this communication is encrypted and TLS is the preferred protocol.

Key trust stores and certificates

Internet Service Monitoring stores its certificates in a user-defined file in a user-defined location. All certificates must be stored in Privacy Enhanced Mail (PEM) format. Ensure that public certificates obtained from other organizations are converted to PEM format. Conversion software is available at http://www.openssl.org.

Trusted certificates specified using the SSLTrustStoreFile property are stored in the file as a concatenated list.

It is good practice to store Certificate Revocation Lists (CRLs) in the trust store, against which certificates can be validated. Certificate Authorities have systems in place to generate lists of revoked certificates and have distribution systems in place to make them publically available. Then if a certificate is compromised, it will be revoked.

Databridge security settings

All monitors communicate with the Databridge, so all monitors have a common set of properties that should be set to manage communication between the monitors and the Databridge. By default, communication is encrypted. The default encryption protocol is TLS. Unlike monitor properties, there is no mechanism to control if a particular version of TLS is enabled or disabled. All the monitors should have the same values for the Databridge properties, otherwise there will be communication issues. Similarly, the properties set in the Databridge .props file should be consistent with those in the monitors. The Databridge also communicates with the Internet Service Monitoring agent which has its own .props file. Some of the values in the agent .props are Databridge-related and like monitors, must have values that are consistent with those in the Databridge .props file.

Table 4. OpenSSL related Databridge properties and command-line options
Property name Property parameter Command-line option Description
BridgeSSLEncryption 0|1 -bridgesslencryption
Determines whether communication with the Databridge is encrypted or not. This covers all communication from Databridge to Monitors and Internet Service Monitoring agent.
  • 0 – not encrypted
  • 1 – encrypted
Restriction: Set the same value on the Internet Service Monitoring agent, all monitors, and the Databridge.
BridgeSSLCipherSet string -bridgesslcipherset Specifies the cipher suites to use for SSL operations to and from the Databridge. Values for this property should be in the form recommended by OpenSSL.
Restriction: Set the same value on the Internet Service Monitoring agent, all monitors, and the Databridge.

Default: AES:3DES:DES:!EXP:!DHE:!EDH
BridgeSSLDisableSSLv2 0|1 -bridgesslcipherset Determines which type of secure connection to make to and from the Databridge.
  • 0 – SSLv2 and SSLv3 are allowed
  • 1 – SSLv2 is NOT allowed
Restriction: Set the same value on the Internet Service Monitoring agent, all monitors, and the Databridge.

Default: 1 (SSLv2 NOT allowed).
BridgeSSLDisableSSLv3 0|1 -bridgessldisablesslv3 Determines which type of secure connection to make to and from the Databridge.
  • 0 – SSLv3 is allowed
  • 1 – SSLv3 is NOT allowed
Restriction: Set the same value on the Internet Service Monitoring agent, all monitors, and the Databridge.

Default: 1 (SSLv3 NOT allowed).
BridgeSSLCertificateFile string -bridgesslcertificatefile The path and filename of the digital Databridge SSL certificate.

Default: $ISMHOME/certificates/bridgeCert.pem
BridgeSSLKeyFile string -bridgesslkeyfile The path and filename of the Databridge SSL private key file.

Default: $ISMHOME/certificates/bridgeKey.pem
BridgeSSLKeyPassword string -bridgesslkeypassword

The password used to encrypt the Databridge SSL private key.

Default: Tivoli
BridgeSSLTrustStore string -bridgessltruststore

The path and file name of the Trusted certificate file for authentication. This is only required when using the BridgeSSLAuthenticatePeer property.

Default: $ISMHOME/certificates/trust.pem

If you want to configure SSL authentication between a monitor and Databridge, or between the Databridge and the agent, set BridgeSSLAuthenticatePeer to 1 and restart the Databridge. This action authenticates the certificates from the server. You can store certificates in both the SSLTrustStoreFile and the SSLTrustStorePath.

Defaults:

  • SSLTrustStoreFile, $ISMHOME/certificates/trust.pem
  • SSLTrustStorePath, $ISMHOME/certificates/

To add new certificates, complete one of the following steps:

  • Add a certificate to the end of the list in the SSLTrustStoreFile text file
  • Add a new certificate to the SSLTrustStorePath directory, and run the OpenSSL c_rehash certificate_dir command to hash the certificates
SSLTrustStoreFile string -ssltruststorefile This property is used by secure monitors and the Databridge. See Table 1 for more information.
SSLTrustStorePath string -ssltruststorepath This property is used by secure monitors and the Databridge. See Table 1 for more information.
BridgeSSLAuthenticatePeer 0|1 -bridgesslauthenticatepeer
Specifies whether the Databridge should cross-authenticate with other Internet Service Monitoring components.
  • 0 – disabled
  • 1 – enabled

If a monitor contacts the Databridge, it must authenticate with the Databridge, and the Databridge must authenticate with the monitor.

If the Internet Service Monitoringagent contacts the Databridge, it must authenticate with the Databridge, and the Databridge must authenticate with the agent.

Certificates for the Databridge are stored in the BridgeSSLTrustStore.

Default: 0 - disabled

Internet Service Monitoring agent properties

The Internet Service Monitoring agent has its own properties file which contains a set of security properties and settings. The agent properties file does not communicate with the monitors, but it does communicate with the Databridge, so the security settings in the agent's .props file manage communication between the agent and the Databridge.

Parent topic: Appendixes