PCIDSS Standards for AWA

Document ID : KB000097849
Last Modified Date : 14/06/2018
Show Technical Document Details
Introduction:
A network security team will be enforcing a rule that all connections into PCI (Payment card) security zones must use TLS1.2.
The connection between Unix agents and the AE does not use TLS.
To prove  to security team that the connection is encrypted with the same strength as TLS1.2, documentation is needed (up to and including source code if possible) around the encryption used for agent to AE communications.
Question:
1.  What are the plans for the Agent / Master communication PCIDSS standards (TLS 1.2 / 1.3)?
2.  Who in the customer base for process scheduling that must be PCIDSS compliant?
3.  Is it a possibility (although slight) that AE's current AES256 encryption may pass as a TLS equivalent?
To confirm this would require a huge level of technical depth as cryptoanalysis teams are able to review the ‘nuts and bolts’ of the open source TLS solution.
Answer:
The direct Agent to Automation Engine communication uses AES256 encryption and do not believe this would pass the scrutiny as a TLS equivalent. There is an option to use the Proxy component which was first introduced in V11.2 and enhanced in V12. This does use TLS and it would encrypt data passing across the network between the Agent and the AE.