How can the Introscope Isengard protocol be configured to use SSL and which security standards (ciphersuites, protocols) are supported?

Document ID : KB000056640
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

How can the Introscope Isengard protocol be configured to use SSL and which security standards (ciphersuites, protocols) are supported?

Solution:

The Isengard SSL support follows the JSSE SSL standards for the EM Java version. 

In APM 9.7 & 10.0, this is Java 1.7 so the following list of ciphersuites is supported:

JSSE Cipher Suite Names

 

For the protocol support currently only SSLv2, SSLv3, TLSv1 are supported. However, additional support for TLSv1.1 and TLSv1.2 is planned to be delivered in the future APM 10.1 Service Pack.

Additional JSSE Standard Names

 

From an implementation perspective, the CA APM Configuration and Administration Guide covers the functionality & various property options:

The Default Enterprise Manager Communications Channel - Configuring SSL

The relevant corresponding sections for the client side Agent & Standalone Workstation are provided below: 

 

In summary:

  • If client authentication is required, then the needclientauth & truststore properties need to be enabled in the EM properties file. In addition, the truststore needs to be created. Otherwise the EM will trust all client certificates. 
  • Specific ciphers can be specified which comply with J2EE SSL standards for Java 1.7, however you will need to update the JRE shipped with EM to use unlimited strength JCE first otherwise only the export quality CipherSuites are available by default.

In addition, if wishing to implement Isengard SSL, then there may be a need to also setup EM Web Server & WebView support for SSL via the EM/WebView properties files and em-jetty-config.xml/webview-jetty-config.xml files at the same time, but it is not mandatory to do both at the same time:

Configuring the Enterprise Manager web server for HTTPS