Solved: CPO 3.0 Security Questions

STOps9487 · ‎11-18-2013

Perhaps there is documentation that tells me this, but I only have the changelog and install docs.

I need to submit a design document to our security team before CPO will be allowed to run any of our PROD environments.

I understand that I can configure SSL on the IIS virtual directory to secure connectivity to the web interface.

However, what about connections between the client console and the CPO backend? Is this encrypted?

Are the passwords for runtime users stored securely (encrypted) in the database?

Shaun Roberts · ‎11-19-2013

1) you can use SSL for the connection from client to server, you would need to setup a SSL cert on the server and change the port in the server configuration file. (I know there is information in the Northbound Web Services guide as a start, but it's really just about setting up a cert and then change the port and it to https)

2) Yes, all passwords are encrypted into the DB. If you need to know more exacts, please open a TAC case. I'm not sure how much information development would give out, but it would have to be through secure channels.

--shaun

--Shaun Roberts
Principal Engineer, CX
shaurobe@cisco.com

View solution in original post

Von Jones · ‎11-19-2013

You will want to add an SSL certificate to the northbound web service should you use it. The web services guide I think has this information: http://www.cisco.com/en/US/customer/products/ps11100/products_user_guide_list.html

Configuring Role-based security is in the user's guide at the link above.

There is information in the install guide online regarding hardening the PO servers.

http://www.cisco.com/en/US/customer/products/ps11100/prod_installation_guides_list.html

Per the encryption of secrets such as passwords at rest in the database, this is done using an environment-specific key. So you cannot just lift the database and expect to get at the data. This creates some issues for getting a complete backup for disaster recovery. See the "Managing High Availability and Resiliency" chapter in the 3.0 user's guide. In prior releases this was in a separate resiliency guide. Encryption uses Microsoft security APIs, same as storage of Windows service passwords. In addition to this, these secrets are never displayed or logged within the product. See the runtime users and hidden strings concepts in the 3.0 user's guide.

My recollection is that unlike the northbound web service and web UI, the client to server communication is encrypted even without the use of SSL, but I'll leave that for someone else to add details on.

View solution in original post

Svetlana Kryukova · ‎11-19-2013

Correction to the reply on #1.

Shaun Roberts answer is accurate for Northbound Web Service, which explicitly supports HTTP and HTTPS.

Connections between client (main console) and server are already secure, out of the box. The connection uses WS HTTP Binding for communication which "implements the following specifications: WS-Reliable Messaging for reliability, and WS-Security for message security and authentication. The transport is HTTP, and message encoding is text/XML encoding." (from Microsoft documentation)

All messages between client and server are encrypted and the end user cannot configure them to be NOT encrypted.

View solution in original post

Shaun Roberts · ‎11-19-2013

1) you can use SSL for the connection from client to server, you would need to setup a SSL cert on the server and change the port in the server configuration file. (I know there is information in the Northbound Web Services guide as a start, but it's really just about setting up a cert and then change the port and it to https)

2) Yes, all passwords are encrypted into the DB. If you need to know more exacts, please open a TAC case. I'm not sure how much information development would give out, but it would have to be through secure channels.

--shaun

--Shaun Roberts
Principal Engineer, CX
shaurobe@cisco.com

Svetlana Kryukova · ‎11-19-2013

Correction to the reply on #1.

Shaun Roberts answer is accurate for Northbound Web Service, which explicitly supports HTTP and HTTPS.

Connections between client (main console) and server are already secure, out of the box. The connection uses WS HTTP Binding for communication which "implements the following specifications: WS-Reliable Messaging for reliability, and WS-Security for message security and authentication. The transport is HTTP, and message encoding is text/XML encoding." (from Microsoft documentation)

All messages between client and server are encrypted and the end user cannot configure them to be NOT encrypted.

Von Jones · ‎11-19-2013

You will want to add an SSL certificate to the northbound web service should you use it. The web services guide I think has this information: http://www.cisco.com/en/US/customer/products/ps11100/products_user_guide_list.html

Configuring Role-based security is in the user's guide at the link above.

There is information in the install guide online regarding hardening the PO servers.

http://www.cisco.com/en/US/customer/products/ps11100/prod_installation_guides_list.html

Per the encryption of secrets such as passwords at rest in the database, this is done using an environment-specific key. So you cannot just lift the database and expect to get at the data. This creates some issues for getting a complete backup for disaster recovery. See the "Managing High Availability and Resiliency" chapter in the 3.0 user's guide. In prior releases this was in a separate resiliency guide. Encryption uses Microsoft security APIs, same as storage of Windows service passwords. In addition to this, these secrets are never displayed or logged within the product. See the runtime users and hidden strings concepts in the 3.0 user's guide.

My recollection is that unlike the northbound web service and web UI, the client to server communication is encrypted even without the use of SSL, but I'll leave that for someone else to add details on.

STOps9487 · ‎11-27-2013

Thanks Team!

Collectively, that's all my questions answered.