ICT Questions&Answers

29
© 2014 IBM Corporation

Transcript of ICT Questions&Answers

© 2014 IBM Corporation

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation2

This is the 27th Q&A event prepared by the IBM License Metric Tool Central Team (ICT)

Currently we focus on version 9.x of IBM License Metric Tool (ILMT)

The content of today’s session also applies to Software Use Analysis (SUA) in version 9.x

The session is for all ILMT users IBMers, Business Partners and Customers

The teleconference is set to mute. Use the web conference chat to communicate with the ILMT subject matter experts

The presentation is recorded and will be available to watch on the ILMT YouTube channel as well as to download from the ILMT Wiki soon

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation3

[email protected]

https://ibm.biz/ILMT_Forum

https://ibm.biz/ILMT_Wiki

https://ibm.biz/ILMT_YouTube

https://ibm.biz/ILMT_Twitter

https://ibm.biz/ILMT_LinkedIn

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation4

Flow of data

Configuring secure communication

Federal Information Processing Standard (FIPS) Standard 140-2 Recommendation SP 800-131

Managing a certificate Existing certificate authority (CA)

Private certificate authority

Authenticating users with Lightweight Directory Access

Protocol (LDAP)

Demo

Questions & Answers

Survey

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation5

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation6

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation7

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation8

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation

Security Requirementshttp://www-01.ibm.com/support/knowledgecenter/SSKLLW_9.1.0/com.ibm.tivoli.tem.doc_9.1/Platform/Adm/c_security_requirements.html

Security Configuration Scenarioshttp://www-01.ibm.com/support/knowledgecenter/SSKLLW_9.1.0/com.ibm.tivoli.tem.doc_9.1/Platform/Adm/c_scenarios_sha2_installation.html

Client Authenticationhttp://www-01.ibm.com/support/knowledgecenter/SSKLLW_9.1.0/com.ibm.tivoli.tem.doc_9.1/Platform/Console/ClientAuthentication.html%23ClientAuthentication

Managing Client Encryptionhttp://www-01.ibm.com/support/knowledgecenter/SSKLLW_9.1.0/com.ibm.tivoli.tem.doc_9.1/Platform/Config/c_managing_client_encryption.html

9

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation10

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation

A digital certificate is a signed public key that is accompanied by information about the key owner

The public key always has a private key that is associated with it

The License Metric Tool server can use SSL if the server possesses both the certificate and the private key that is associated with it

Security of your access to the web console of License Metric Tool depends on the security of the digital certificate, and its private key, that the server uses for protecting the communication

By default, SSL is enabled on the server, however, the initial configuration is based on a temporary self-signed certificate and is not intended to be used in the production environment

The initial certificate should be replaced with a server certificate that is signed by a certificate authority (CA) that you trust

11

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation12

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation

Federal Information Processing Standards (FIPS) are standards and guidelines that are issued by the National Institute of Standards and Technology (NIST) for federal government computer systems

You can configure License Metric Tool to be compliant with the Federal Information Processing Standard requirements that are related to encryption

13

http://csrc.nist.gov/

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation

FIPS 140-2 is the standard that defines the security requirements for cryptographic modules that are used within a system that handles sensitive but unclassified information

Compliance with the FIPS 140-2 has two aspects that affect ILMT the algorithms that are used to

manage sensitive data must be FIPS-approved

FIPS-approved implementation must be used when data is transmitted with the SSL/TLS

14

http://csrc.nist.gov/publications/PubsFIPS.html

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation

IBM License Metric Tool 9.0 uses the FIPS 140-2 approved cryptographic providers for cryptography: IBMJCEFIPS (certificate 376) IBMJSSEFIPS (certificate 409) IBM Crypto for C (ICC) (certificate 384)

15

http://csrc.nist.gov/publications/PubsFIPS.html

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation

At the start of the 21st century, the National Institute of Standards and Technology (NIST) began the task of providing cryptographic key management guidance, which includes defining and implementing appropriate key management procedures, using algorithms that adequately protect sensitive information, and planning ahead for possible changes in the use of cryptography because of algorithm breaks or the availability of more powerful computing techniques

NIST Special Publication (SP) 800-57, Part 1 was the first document produced in this effort, and includes a general approach for transitioning from one algorithm or key length to another

This Recommendation (SP 800-131A) provides more specific guidance for transitions to the use of stronger cryptographic keys and more robust algorithms

16

http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdfhttp://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation

SP 800-131 requires longer key lengths and stronger cryptography

The SP 800-131 specification also provides a transition configuration to enable users to move to a strict enforcement of SP 800-131

The transition configuration also enables users to run with a mixture of settings from both FIPS140-2 and SP 800-131

SP 800-131 can be run in two modes transition strict

The transition mode is offered to give you a setting to move your environment to SP 800-131 strict mode

In transition mode, it is optional to use the SP800-131 required certificates and to set the protocol to SP 800-131

17

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation

The following requirements must be fulfilled to allow for the strict enforcement of SP 800-131: The use of the TLS version 1.2 protocol for the Secure Sockets Layer

(SSL) context Certificates must have a minimum length of 2048 bytes. An Elliptic Curve

(EC) certificate requires a minimum size of 244-bit curves Certificates must be signed with a signature algorithm of SHA256,

SHA384, or SHA512 Valid signature algorithms include:

SHA256 with RSA SHA384 with RSA SHA512 with RSA SHA256 with ECDSA SHA384 with ECDSA SHA512 with ECDSA

SP 800-131 approved cipher suites

18

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation

IBM License Metric Tool profile gives setup possibility to meet the SP 800-131 requirement that is originated by the National Institute of Standards and Technology

You can configure License Metric Tool to run in SP 800-131 strict or transition mode

19

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation

When you configure security settings, ensure that the combination of security modes that you set up on the side of Endpoint Manager and License Metric Tool is supported

Legend: ✓ - the mode is enabled ANY - the mode is either enabled or disabled

20

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation21

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation

The self-signed certificate that is provided with License Metric Tool is not intended to be used in the production environment

Replace it with a certificate that is signed by a certificate authority (CA) of your choice

To have a certificate, you need to generate a private key, a public key, and a certificate signing request (CSR) that is associated with the public key

Next, a certificate authority must sign this request and there are two ways to get a certificate signing request signed: send it to an existing certificate authority, e.g.

Entrust Verisign CA of your organization

create a private CA

22

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation

Existing certificate authority (CA) You can use an existing CA to sign your certificate signing request (CSR) The root certificates of popular CAs are imported into new web browsers

by default

Private certificate authority You can create a private CA and use it for signing the CSR A private CA can be created on any computer with an operating system

that supports openSSL

23

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation24

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation

Lightweight Directory Access Protocol (LDAP) is a set of client/server protocols for accessing and managing information directories

LDAP supports TCP/IP protocol for communication and uses simple string formats for data transfer

LDAP is cross-platform and standards-based, therefore applications do not need to worry about the type of server hosting the directory

LDAP is a simplified variation of X.500 Directory Access Protocol

25

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation

IBM® License Metric Tool (ILMT) 9.0 supports authentication through a Lightweight Directory Access Protocol (LDAP) server

ILMT server configuration consists of a few steps: Creation of a directory that the application would link to Creation a user that would link to the created directory Users’ integration with ILMT using the LDAP protocol Integrating users with Web Reports

26

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation27

IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security

27th Questions & Answers Version 1.0.1

ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation28

© 2014 IBM Corporation