Data Center RUM Documentation

Skip to end of metadata
Go to start of metadata

Since all the SSL protocol versions other than TLS 1.2 are a subject to a number of vulnerabilities and security issues, we strongly recommend you configure your DC RUM deployment to use TLS 1.2 together with a set of safe cipher suites for the following connections.

Service packs

Icon

DC RUM service packs are full releases of every component. When you install a DC RUM service pack for any given component, you essentially upgrade that component to the service pack release. As a result, any custom settings created for any of the components will be overwritten when you install the service pack. Service packs include a list of secure ciphers, including TLSv1.2 or by default, are preset to utilize TLSv1.2.

CSS

The CSS is required to make two types of connections: the outgoing connections to other DC RUM components and incoming connections for a direct user access and other DC RUM Components.

Outgoing DC RUM connections

The TLS 1.2 protocol support for outgoing communication to other DC RUM components depends on the Java version installed on the CSS machine. All supported RUM Console releases operate Java version that supports TLSv1.2 by default. See, JAVA builds and DC RUM releases.

Incoming DC RUM & direct user connections

This Jetty setting determines the protocol used to access the RUM Console by other DC RUM components and direct user connection from the network.

  1. Log on as an administrator to a machine running the CSS.
  2. Edit the jetty-ssl.xml file in the <install_dir>\workspace\configuration\jetty\etc\ folder.
    If needed, add the TLS 1.2 as included protocol.

    Backwards compatibility

    Icon

    In order to maintain backwards compatibility with older component versions you may consider allowing older protocols to connect to this component.

     IncludeProtocols tag should contain the TLSv1.2.

CAS and ADS

The report server is required to make two types of connections: the outgoing connections to other DC RUM components and incoming connections for a direct user access and other DC RUM Components

Outgoing DC RUM connections

The TLS 1.2 protocol support for outgoing communication to other DC RUM components depends on the Java version installed on the CSS machine. All supported RUM Console releases operate Java version that supports TLSv1.2 by default. See, JAVA builds and DC RUM releases.

Incoming DC RUM & direct user connections

This setting determines the protocol used to access the report server by other DC RUM components and direct user connection from the network.

  1. Log on as an administrator to each machine running CAS or ADS in your cluster and edit {install_dir}\config\common.properties file. Set connector.ssl.SSLProtocol property to TLSv1.2 and connector.ssl.SSLCipherSuite to a list of colon delimited list of secure ciphers.

     An example based on recommendation from Mozilla.
  2. Restart the report server (CAS or ADS) services.

RUM Console

The RUM Console is required to make two types of connections: the outgoing connections to other DC RUM components and incoming connections for a direct user access and other DC RUM components.

Outgoing DC RUM connections

The TLS 1.2 protocol support for outgoing communication to other DC RUM components depends on the Java version installed on the RUM Console machine. All supported RUM Console releases operate Java version that supports TLSv1.2 by default. See, JAVA builds and DC RUM releases.

Incoming DC RUM & direct user connections

This setting determines the protocol used to access the RUM Console by other DC RUM components and direct user connection from the network.

  1. Log on as an administrator to a machine running the CSS and RUM Console.
  2. Edit the jetty-ssl.xml file in the <install_dir>\workspace\configuration\jetty\etc\ folder.
    If needed, add the TLS 1.2 as included protocol.

    Backwards compatibility

    Icon

    In order to maintain backwards compatibility with older component versions you may consider allowing older protocols to connect to this component.

     IncludeProtocols tag should contain the TLSv1.2.

AMD

This setting determines the protocol that is used for communication between the AMD, the report server (CAS or ADS) and the RUM Console.

Red Hat Enterprise Linux and Tomcat

Icon

RHEL 6 and its Tomcat versions do not support TLS 1.2. If you are using RHEL 7, update your Apache Tomcat software to minimum 7.0.69-10 version.

Support for TLS 1.2 depends on the OpenSSL libraries used in your AMD operating system. While the DC RUM recommended Linux distributions include TLS 1.2 support by default, some of the custom installations and older Linux distributions may use OpenSSL, which does not support TLS 1.2. You can check the OpenSSL version that is being used by executing the openssl version -a command.

 openssl version -a

OpenSSL

Icon

OpenSSL 1.0.0 and earlier versions do NOT support TLS 1.1/1.2.

If you need to update the OpenSSL libraries, update them to at least version 1.0.1c.

When choosing the version update, remember that:

If your OpenSSL version supports TLS 1.2, check whether the connector protocol is set to TLS 1.2:

  1. Log on as root to the machine running the AMD and edit the /usr/adlex/config/tomcat/server.xml file.
    Make sure that the connector protocol is set to TLSv1.2

    Report server restart is required

    Icon

    If you make any changes to the connector protocol settings on the AMD, you must reinitialize the communication with the report servers by restarting the report server (CAS or ADS) service.

     Example of the proper connector protocol setting
  2. Restart the rtm service.

MS SQL Server

This setting determines the protocol that is used for communication between the database, the report server (CAS or ADS) and the RUM Console.

  1. Make sure your Windows and SQL server version support TLS 1.2 connections.
    For information on Windons, see Microsoft Support Article.
    TLS 1.2 support for MS SQL Server (2008, 2012, and 2014) requires a specific Service Pack version and/or cumulative update patch. For more information, see SQL Server support for TLS 1.2 article.

  2. Enable specific protocols, ciphers, hashes, and key exchange algorithms:

    • Download and install the ISS Crypto tool (This tool requires .Net Framework 4.x or 2.x)
      https://www.nartac.com/Products/IISCrypto/Download
    • Set the following options:

      ProtocolsTLS 1.2
      CiphersAES 256/256
      HashesSHA 256, SHA 384, SHA 512
      Key ExchangesDiffie-Hellman, ECDH

  3. Make sure that all DC RUM components connecting to this database are utilizing TLSv1.2.

 

 

  • No labels