security policy statement - ca technologies ca spectrum security policy statement communicates the...

Security Policy Statement Release 9.4

CA Spectrum®

This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time.

This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may not be disclosed by you or used for any purpose other than as may be permitted in (i) a separate agreement between you and CA governing your use of the CA software to which the Documentation relates; or (ii) a separate confidentiality agreement between you and CA.

Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.

The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.

TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

The use of any software product referenced in the Documentation is governed by the applicable license agreement and such license agreement is not modified in any way by the terms of this notice.

The manufacturer of this Documentation is CA.

Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.

Copyright © 2014 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

CA Technologies Product References

This document references the following CA Technologies products:

■ CA Spectrum® (CA Spectrum)

■ CA Service Desk

Contact CA Technologies

Contact CA Support

For your convenience, CA Technologies provides one site where you can access the information that you need for your Home Office, Small Business, and Enterprise CA Technologies products. At http://ca.com/support, you can access the following resources:

■ Online and telephone contact information for technical assistance and customer services

■ Information about user communities and forums

■ Product and documentation downloads

■ CA Support policies and guidelines

■ Other helpful resources appropriate for your product

Providing Feedback About Product Documentation

If you have comments or questions about CA Technologies product documentation, you can send a message to [email protected].

To provide feedback about CA Technologies product documentation, complete our short customer survey which is available on the CA Support website at http://ca.com/docs.

http://www.ca.com/support

mailto:[email protected]

http://ca.com/docs

http://ca.com/docs

Contents 5

Contents

Chapter 1: Overview 7

About the CA Spectrum Security Policy Statement ...................................................................................................... 7

Definitions .................................................................................................................................................................... 7

FIPS 140-2 Compatibility Matrix ................................................................................................................................... 8

Chapter 2: Detailed CA Spectrum Component Descriptions 11

SpectroSERVER User Password Storage ..................................................................................................................... 11

Special Protection and Key Storage .................................................................................................................... 12

Enable FIPS Mode................................................................................................................................................ 12

Changing Root Certificate ................................................................................................................................... 12

OneClick User Password Storage ............................................................................................................................... 12


Enable FIPS Mode................................................................................................................................................ 13


Integration Password Storage .................................................................................................................................... 13


Enable FIPS Mode................................................................................................................................................ 14


Embedded Entitlements Manager (EEM) Single Sign-On (Proxy Password) .............................................................. 14


Enable FIPS Mode................................................................................................................................................ 16


CA Service Desk Password Storage ............................................................................................................................ 16


Enable FIPS Mode................................................................................................................................................ 17


MySQL Password Storage ........................................................................................................................................... 17


Enable FIPS Mode................................................................................................................................................ 18


SRAdmin Data Transmission ....................................................................................................................................... 18


Enable FIPS Mode................................................................................................................................................ 19


SNMPv3 Privacy Data Transmission ........................................................................................................................... 20


6 Security Policy Statement

Enable FIPS Mode................................................................................................................................................ 20


Secure Domain Manager ............................................................................................................................................ 22


Enable FIPS Mode................................................................................................................................................ 22


Certgen ....................................................................................................................................................................... 23


Enable FIPS Mode................................................................................................................................................ 24


Index 25


Chapter 1: Overview

This section contains the following topics:

About the CA Spectrum Security Policy Statement (see page 7) Definitions (see page 7) FIPS 140-2 Compatibility Matrix (see page 8)

About the CA Spectrum Security Policy Statement

The CA Spectrum Security Policy Statement applies to the CA Spectrum product and is applicable as long as the product is used within the documented procedures defined in the product documentation.

The CA Spectrum Security Policy Statement details the encryption and hashing that is used by specific CA Spectrum components.

The CA Spectrum Security Policy Statement communicates the FIPS 140-2 statement for the CA Spectrum product. Specifically, it does the following:

■ Clearly states what CA Spectrum modules are FIPS-compliant and which are FIPS-compatible

■ Identifies FIPS certificate numbers for the encryption modules or hash algorithms used

■ Communicates additional items that require extra physical security or protection

■ Identifies the application boundaries surrounding the different application modules using encryption and or hashing

■ Identifies what data is protected

■ Communicates how keys are protected

■ Explains how to enable FIPS mode on the software component

Definitions

The following terms are used in the CA Spectrum Security Policy Statement:

FIPS-compliant means that the component is capable of running FIPS-compliant encryption and hashing modules and offers the ability to run in FIPS mode.

FIPS-compatible means that the component uses FIPS-certified algorithms for encryption and hashing, but does not offer the ability to run in FIPS mode.

FIPS 140-2 Compatibility Matrix



The following table shows the extent to which CA Spectrum uses FIPS-compliant algorithms:

CA Spectrum Software Component

Module Version Certificate1 Algorithms2 Algorithm Cert#3

Mode4

SpectroSERVER User Password Storage (see page 11)**

BSAFE Crypto-J

5.1.1 1502 SHA-256 1549 Compatible

OneClick User Password Storage (see page 12)

BSAFE Crypto-J

5.1.1 1502 AES-256 1766 Compatible

Integration Password Storage (see page 13)

BSAFE Crypto-J

5.1.1 714 AES-256 1766 Compatible

eHealth Password Storage (see page 13)

BSAFE Crypto-J

5.1.1 714 AES-256 1766 Compatible

EEM Single Sign-On (Proxy Password) (see page 14)

BSAFE Crypto-J

5.1.1 714 AES-256 1766 Compatible

CA Service Desk Password Storage (see page 16)

BSAFE Crypto-J

5.1.1 714 AES-256 1766 Compatible

MySQL Password Storage (see page 17)

BSAFE Crypto-J

5.1.1 714 AES-256 1766 Compatible

SRAdmin Data Transmission (see page 18)

BSAFE Crypto-C ME

2.0 608 3DES 378 Compatible

SNMPv3 Privacy Data Transmission (see page 20)

OpenSSL*** 0.9.8 2097 3DES, AES-128, AES-256, SHA

1302 Compatible

Secure Domain Manager (see page 22)*

BSAFE Crypto-C ME

2.0 608 3DES, SHA 378 Compliant



CA Spectrum Software Component

Module Version Certificate1 Algorithms2 Algorithm Cert#3

Mode4

Secure Domain Manager (see page 22)

OpenSSL 0.9.8 2097 3DES, SHA-256

1302 Compatible

SDConnector Data Transmission (see page 22)

BSAFE Crypto-C ME

2.0 608 3DES 378 Compatible

Certgen (see page 23)

OpenSSL 0.9.8 2097 3DES, SHA 1302 Compatible

Notes:

■ * You can configure a different algorithm for Secure Domain Manager (SDM) and the SDM Connector. You do not have to use 3DES.

■ ** Old user models have support of SHA-1 for hashing. For the newly created models (Spectrum 9.4 release), credentials are hashed by using SHA-256. So, both SHA-1 and SHA-2 coexist.

■ *** OpenSSL module is part of CAPKI. In FIPS mode, it is FIPS-2 complaint as all consumer products use only FIPS approved algorithm from Crypto-C ME of CAPKI. These certificate and algorithm certs are from Crypto-C ME (4.0.1).

■ You can find NIST certificate numbers at: http://csrc.nist.gov/groups/STM/cmvp/validation.html

■ These are the only algorithms the software supports. You can find more information at: http://csrc.nist.gov/groups/STM/cavp/validation.html

■ Verify algorithm certificate numbers by looking up the certificate number at NIST, opening the Security Policy, or reading the 'Level/Description' column associated with the Certificate number.

■ N/A means the software does not offer the ability to operate in FIPS mode. Compatible or Compliant means the software is capable of operating in FIPS mode according to the definitions of those terms.


Chapter 2: Detailed CA Spectrum Component Descriptions

This chapter describes the encryption and hashing that is used by specific CA Spectrum components.

This section contains the following topics:

SpectroSERVER User Password Storage (see page 11) OneClick User Password Storage (see page 12) Integration Password Storage (see page 13) Embedded Entitlements Manager (EEM) Single Sign-On (Proxy Password) (see page 14) CA Service Desk Password Storage (see page 16) MySQL Password Storage (see page 17) SRAdmin Data Transmission (see page 18) SNMPv3 Privacy Data Transmission (see page 20) Secure Domain Manager (see page 22) Certgen (see page 23)

SpectroSERVER User Password Storage

CA Spectrum passwords are hashed with SHA and SHA-256, and are stored in the SpectroSERVER database for comparison when a user attempts to log in. Until 9.3 release, CA Spectrum passwords were hashed with SHA and were stored in the SpectroSERVER database for comparison when a user attempts to log in. Starting with 9.4 release, SHA-256 is supported. Both SHA and SHA-256 coexist. Models that are created before the 9.4 release, are authenticated by SHA. All newly created user models with 9.4 release (9.4.0) support SHA-256 for hashing and authentication.

Note: Enable "Tomcat Secure Sockets Layer (SSL)" for protection over the wire.

OneClick User Password Storage


The following image illustrates the Cryptographic Boundary for SpectroSERVER user password storage:

The CA Spectrum password is protected. For more information about configuring and using SSL, see the Administrator Guide.

Special Protection and Key Storage

The encryption key is internal to CA Spectrum.

Enable FIPS Mode

SHA-256 password hashing is enabled out of the box.

Changing Root Certificate

Not applicable at this time.

OneClick User Password Storage

When the "Remember my password" option is selected in the OneClick home page, OneClick passwords are stored to a file.

Integration Password Storage


The Cryptographic Boundary for the OneClick password storage is as follows:

The OneClick username and password is encrypted with AES-256 in the file.

Note: For more information about the OneClick login, see the Operator Guide.



Enable FIPS Mode

AES-256 password and username encryption is enabled out of the box.



Integration Password Storage

Passwords for OneClick integrations are stored to a file and are encrypted using AES-256.

Note: For encryption over the network, enable SSL for integrations between CA Spectrum and CA eHealth, and CA Spectrum and Lightweight Directory Access Protocol (LDAP).

Embedded Entitlements Manager (EEM) Single Sign-On (Proxy Password)


The Cryptographic Boundary for integration password storage is as follows:

The password is encrypted with AES in the file.

Note: For more information about configuring and using CA eHealth, see the CA eHealth and CA Spectrum Integration Guide. For more information about configuring and using LDAP, see the Administrator Guide.



Enable FIPS Mode

AES-256 password encryption is enabled out of the box.




Single Sign-On functions are used mainly for logging in, but can also be used to access cross-platform resources, such as CA eHealth reports.

Note: If the token expires and a resource requires authentication, the authentication process repeats.



The following figures illustrate the Cryptographic Boundary for Embedded Entitlements Manager (EEM) single sign-on (proxy password).

The following figure illustrates how the OneClick web server communicates with the SpectroSERVER to authenticate which OneClick web server transmissions can be encrypted with OpenSSL:

The following figure illustrates how the SpectroSERVER uses a configuration file to determine the authenticator. In this instance, the authenticator is configured to be Single Sign On through an EEM server, behind a proxy server. The password for the proxy server is AES-256 encrypted and is stored on the SpectroSERVER in a file:

CA Service Desk Password Storage


The following figure illustrates how the proxy password is transmitted to the proxy server, which then allows the SpectroSERVER to communicate to the EEM server for authentication. These transmissions can also be encrypted with OpenSSL:

The proxy password is encrypted with AES-256 in the file. The transmission of the data between servers can protected by SSL, but is not required.

Note: For more information about the EEM login and configuration information, see the CA Spectrum and Embedded Entitlements Manager Integration Guide. For more information about configuring the SSL, see the Administrator Guide.


There is no special protection for the file; however, the key is internal to CA Spectrum.

Enable FIPS Mode

AES-256 password encryption is enabled out of the box. It cannot be turned off. SSL is optional, and can be turned off.



CA Service Desk Password Storage

The CA Service Desk password is stored to a file with AES-256 encryption. The OneClick password is stored to a file with Base64 encoding.

MySQL Password Storage


The Cryptographic Boundary for CA Service Desk password storage is as follows:

Note: For more information about integrating with CA Service Desk, see the CA Spectrum and CA Service Desk Integration Guide.



Enable FIPS Mode

AES-256 password encryption and Base64 encoding is enabled out of the box.



MySQL Password Storage

The mysql password is stored to a file with AES-256 encryption.

SRAdmin Data Transmission


The Cryptographic Boundary for a MySQL password storage is as follows:

Note: For more information about configuring and using MySQL, see the Administrator Guide.



Enable FIPS Mode

AES-256 password encryption is enabled out of the box.




The username and password for CA Spectrum Remote Administration (SRAdmin) is encrypted using 3DES.



The Cryptographic Boundary for SRAdmin data transmission is as follows:

The sradmin username and password are encrypted with 3DES and are sent over the network.

Note: For more information about configuring and using SRAdmin, see the Installation Guide.


The encryption key is internal to CA Spectrum and is also based off the time of the system.

Enable FIPS Mode

3DES username and password encryption is enabled out of the box.



SNMPv3 Privacy Data Transmission



To query devices using SNMPv3 with the authentication and privacy, CA Spectrum can be configured so that the SNMPv3 messages are encrypted using 3DES, AES-128, or AES-256. CA Spectrum can also be configured to use SHA for authentication when querying devices using SNMPv3 with only authentication or authentication with privacy.

The Cryptographic Boundary for SNMPv3 privacy data transmission is as follows:

The SNMPv3 messages are encrypted using 3DES, AES-128 (AES), or AES-256 and are sent over the network.

Note: For more information about configuring and using SNMPv3, see the Modeling and Managing Your IT Infrastructure Administrator Guide.



Enable FIPS Mode

SNMPv3 does not support FIPS mode, but SNMPv3 supports FIPS-compliant algorithms.

To change the default privacy encryption algorithm for all device models to 3DES, AES or AES-256, the snmpv3_default_priv_protocol parameter in the <$SPECROOT>\SS\.vnmrc file must be set to 3DES, AES, or AES256.



For example:

snmpv3_default_priv_protocol=3des

or

snmpv3_default_priv_protocol=aes

or

snmpv3_default_priv_protocol=aes256

Alternatively, to override the default privacy encryption algorithm for a particular device model, append the encryption algorithm to the SNMP community string for that device model.

For example:

#v3/<authPW>:3DES^<privPW>/<user>

#v3/<authPW>:AES^<privPW>/<user>

#v3/<authPW>:AES256^<privPW>/<user>

To change the default authentication algorithm for all device models to SHA, the snmpv3_default_auth_protocol parameter in the <$SPECROOT>\SS\.vnmrc file must be set to "sha".

For example:

snmpv3_default_auth_protocol=sha

Alternatively, to override the default authentication algorithm for a particular device model that uses authentication only, append the authentication algorithm to the SNMP community string in the following format:

For example:

#v3/SHA^<authPW>/<user>

To override the default authentication algorithm for a particular device model that uses authentication with privacy, append the authentication algorithm to the SNMP community string in the following format:

#v3/SHA^<authPW>:<privPW>/<user>

#v3/<authPW>:AES^<privPW>/<user>

#v3/<authPW>:AES256^<privPW>/<user>

Note: For more information, see the Modeling and Managing Your IT Infrastructure Administrator Guide.

Secure Domain Manager




Secure Domain Manager

A bi-directional communication takes place between the Secure Domain Manager (SDM) and the Secure Domain Connector (SDC).

Note: When not running in FIPS mode, CA Spectrum, using SDM and SDC, runs in a FIPS-compatible state.

The Cryptographic Boundary for the Secure Domain Manager is as follows:

SNMP or ICMP requests and replies, and SNMP traps communication are protected. No other communication takes place.

Note: For more information about configuring and using the Secure Domain Manager, see the Secure Domain Manager User Guide.


The SDM private key is located at <$SPECROOT>/SDM/CERTS/SDMCAKey.pem. The private key requires administrator read and write privileges only.

Enable FIPS Mode

Locate the sdm.config file and add the –withfips option.

Note: Any time this option is changed, the entire system needs to be restarted.

Certgen



Run the following command to create a new network security certificate for the SDManager:

CertGen.exe –t cert –c <Country Code>

For added security, use the -p option to generate the certificate with a password as follows:

CertGen.exe –t cert –p <password> -c <Country Code>

Certgen

Certgen uses openSSL 0.9.8 to create certificate authorities, key files, and security certificates that are used to encrypt communications between SDM and SDC. The algorithm that is used to create the certificate is 3DES.

The Cryptographic Boundary for Certgen is as follows:

The p12 certificate is used primarily to protect the data being transferred between the Secure Domain Manager and the Secure Domain Connectors.

Note: For more information about configuring and using the CertGen, see the Secure Domain Manager User Guide.

Certgen



All certificate authority, private keys, and certificates are located at <$SPECROOT>/SDM/CERTS. All files require administrator read and write privileges.

Enable FIPS Mode

No FIPS mode required.


Run the following command to create a new network security certificate for the SDManager:

CertGen.exe –t cert –c <Country Code>

For added security, use the -p option to generate the certificate with a password as follows:

CertGen.exe –t cert –p <password> -c <Country Code>

Index 25

Index

3

3DES encryption • 18, 19, 20, 23

A

AES encryption • 12, 13, 14, 16, 17, 20

B

Base64 encryption • 17

C

CA Service Desk • 16 Certgen • 23 Cryptographic Boundary • 11, 12, 13, 14, 16, 17, 22,

23

E

EEM server • 14 Embedded Entitlements Manager (EEM) • 14 encryption key • 16, 19, 22, 24

F

FIPS certificate numbers • 7 FIPS mode • 7, 20, 24 FIPS-compatible definition • 7 FIPS-compliant definition • 7

N

network security certificate • 23

O

OneClick home page • 12 OpenSSL • 14, 23

P

passwords storing • 11, 12, 13, 16, 17

R

root certificate • 12, 23

S

sdm.config file • 22

Secure Domain Connectors • 22, 23 Secure Domain Manager • 22, 23 SHA-1 password hashing • 11, 12 single sign-on • 14 SNMPv3 • 20 SRAdmin • 18

T

Tomcat Secure Sockets Layer (SSL) • 19

W

–withfips option • 22

security policy statement - ca technologies ca spectrum security policy statement communicates the...

Documents