IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation2
This is the 27th Q&A event prepared by the IBM License Metric Tool Central Team (ICT)
Currently we focus on version 9.x of IBM License Metric Tool (ILMT)
The content of today’s session also applies to Software Use Analysis (SUA) in version 9.x
The session is for all ILMT users IBMers, Business Partners and Customers
The teleconference is set to mute. Use the web conference chat to communicate with the ILMT subject matter experts
The presentation is recorded and will be available to watch on the ILMT YouTube channel as well as to download from the ILMT Wiki soon
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation3
https://ibm.biz/ILMT_Forum
https://ibm.biz/ILMT_Wiki
https://ibm.biz/ILMT_YouTube
https://ibm.biz/ILMT_Twitter
https://ibm.biz/ILMT_LinkedIn
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation4
Flow of data
Configuring secure communication
Federal Information Processing Standard (FIPS) Standard 140-2 Recommendation SP 800-131
Managing a certificate Existing certificate authority (CA)
Private certificate authority
Authenticating users with Lightweight Directory Access
Protocol (LDAP)
Demo
Questions & Answers
Survey
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation5
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation6
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation7
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation8
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation
Security Requirementshttp://www-01.ibm.com/support/knowledgecenter/SSKLLW_9.1.0/com.ibm.tivoli.tem.doc_9.1/Platform/Adm/c_security_requirements.html
Security Configuration Scenarioshttp://www-01.ibm.com/support/knowledgecenter/SSKLLW_9.1.0/com.ibm.tivoli.tem.doc_9.1/Platform/Adm/c_scenarios_sha2_installation.html
Client Authenticationhttp://www-01.ibm.com/support/knowledgecenter/SSKLLW_9.1.0/com.ibm.tivoli.tem.doc_9.1/Platform/Console/ClientAuthentication.html%23ClientAuthentication
Managing Client Encryptionhttp://www-01.ibm.com/support/knowledgecenter/SSKLLW_9.1.0/com.ibm.tivoli.tem.doc_9.1/Platform/Config/c_managing_client_encryption.html
9
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation10
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation
A digital certificate is a signed public key that is accompanied by information about the key owner
The public key always has a private key that is associated with it
The License Metric Tool server can use SSL if the server possesses both the certificate and the private key that is associated with it
Security of your access to the web console of License Metric Tool depends on the security of the digital certificate, and its private key, that the server uses for protecting the communication
By default, SSL is enabled on the server, however, the initial configuration is based on a temporary self-signed certificate and is not intended to be used in the production environment
The initial certificate should be replaced with a server certificate that is signed by a certificate authority (CA) that you trust
11
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation12
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation
Federal Information Processing Standards (FIPS) are standards and guidelines that are issued by the National Institute of Standards and Technology (NIST) for federal government computer systems
You can configure License Metric Tool to be compliant with the Federal Information Processing Standard requirements that are related to encryption
13
http://csrc.nist.gov/
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation
FIPS 140-2 is the standard that defines the security requirements for cryptographic modules that are used within a system that handles sensitive but unclassified information
Compliance with the FIPS 140-2 has two aspects that affect ILMT the algorithms that are used to
manage sensitive data must be FIPS-approved
FIPS-approved implementation must be used when data is transmitted with the SSL/TLS
14
http://csrc.nist.gov/publications/PubsFIPS.html
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation
IBM License Metric Tool 9.0 uses the FIPS 140-2 approved cryptographic providers for cryptography: IBMJCEFIPS (certificate 376) IBMJSSEFIPS (certificate 409) IBM Crypto for C (ICC) (certificate 384)
15
http://csrc.nist.gov/publications/PubsFIPS.html
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation
At the start of the 21st century, the National Institute of Standards and Technology (NIST) began the task of providing cryptographic key management guidance, which includes defining and implementing appropriate key management procedures, using algorithms that adequately protect sensitive information, and planning ahead for possible changes in the use of cryptography because of algorithm breaks or the availability of more powerful computing techniques
NIST Special Publication (SP) 800-57, Part 1 was the first document produced in this effort, and includes a general approach for transitioning from one algorithm or key length to another
This Recommendation (SP 800-131A) provides more specific guidance for transitions to the use of stronger cryptographic keys and more robust algorithms
16
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdfhttp://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation
SP 800-131 requires longer key lengths and stronger cryptography
The SP 800-131 specification also provides a transition configuration to enable users to move to a strict enforcement of SP 800-131
The transition configuration also enables users to run with a mixture of settings from both FIPS140-2 and SP 800-131
SP 800-131 can be run in two modes transition strict
The transition mode is offered to give you a setting to move your environment to SP 800-131 strict mode
In transition mode, it is optional to use the SP800-131 required certificates and to set the protocol to SP 800-131
17
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation
The following requirements must be fulfilled to allow for the strict enforcement of SP 800-131: The use of the TLS version 1.2 protocol for the Secure Sockets Layer
(SSL) context Certificates must have a minimum length of 2048 bytes. An Elliptic Curve
(EC) certificate requires a minimum size of 244-bit curves Certificates must be signed with a signature algorithm of SHA256,
SHA384, or SHA512 Valid signature algorithms include:
SHA256 with RSA SHA384 with RSA SHA512 with RSA SHA256 with ECDSA SHA384 with ECDSA SHA512 with ECDSA
SP 800-131 approved cipher suites
18
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation
IBM License Metric Tool profile gives setup possibility to meet the SP 800-131 requirement that is originated by the National Institute of Standards and Technology
You can configure License Metric Tool to run in SP 800-131 strict or transition mode
19
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation
When you configure security settings, ensure that the combination of security modes that you set up on the side of Endpoint Manager and License Metric Tool is supported
Legend: ✓ - the mode is enabled ANY - the mode is either enabled or disabled
20
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation21
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation
The self-signed certificate that is provided with License Metric Tool is not intended to be used in the production environment
Replace it with a certificate that is signed by a certificate authority (CA) of your choice
To have a certificate, you need to generate a private key, a public key, and a certificate signing request (CSR) that is associated with the public key
Next, a certificate authority must sign this request and there are two ways to get a certificate signing request signed: send it to an existing certificate authority, e.g.
Entrust Verisign CA of your organization
create a private CA
22
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation
Existing certificate authority (CA) You can use an existing CA to sign your certificate signing request (CSR) The root certificates of popular CAs are imported into new web browsers
by default
Private certificate authority You can create a private CA and use it for signing the CSR A private CA can be created on any computer with an operating system
that supports openSSL
23
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation24
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation
Lightweight Directory Access Protocol (LDAP) is a set of client/server protocols for accessing and managing information directories
LDAP supports TCP/IP protocol for communication and uses simple string formats for data transfer
LDAP is cross-platform and standards-based, therefore applications do not need to worry about the type of server hosting the directory
LDAP is a simplified variation of X.500 Directory Access Protocol
25
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation
IBM® License Metric Tool (ILMT) 9.0 supports authentication through a Lightweight Directory Access Protocol (LDAP) server
ILMT server configuration consists of a few steps: Creation of a directory that the application would link to Creation a user that would link to the created directory Users’ integration with ILMT using the LDAP protocol Integrating users with Web Reports
26
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation27
IBM License Metric Tool 9.x & Software Use Analysis 9.x – Security
27th Questions & Answers Version 1.0.1
ICT: [email protected] Created by ILMT Central Team © 2014 IBM Corporation28