cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1496
Views
0
Helpful
4
Replies

CPO 3.0 Security Questions

STOps9487
Level 1
Level 1

       Perhaps there is documentation that tells me this, but I only have the changelog and install docs.

I need to submit a design document to our security team before CPO will be allowed to run any of our PROD environments.

I understand that I can configure SSL on the IIS virtual directory to secure connectivity to the web interface.

However, what about connections between the client console and the CPO backend? Is this encrypted?

Are the passwords for runtime users stored securely (encrypted) in the database?

3 Accepted Solutions

Accepted Solutions

Shaun Roberts
Cisco Employee
Cisco Employee

1) you can use SSL for the connection from client to server, you would need to setup a SSL cert on the server and change the port in the server configuration file. (I know there is information in the Northbound Web Services guide as a start, but it's really just about setting up a cert and then change the port and it to https)

2) Yes, all passwords are encrypted into the DB. If you need to know more exacts, please open a TAC case. I'm not sure how much information development would give out, but it would have to be through secure channels.

--shaun

--Shaun Roberts
Principal Engineer, CX
shaurobe@cisco.com

View solution in original post

Von Jones
Level 4
Level 4

You will want to add an SSL certificate to the northbound web service should you use it.  The web services guide I think has this information: http://www.cisco.com/en/US/customer/products/ps11100/products_user_guide_list.html

Configuring Role-based security is in the user's guide at the link above.

There is information in the install guide online regarding hardening the PO servers.

http://www.cisco.com/en/US/customer/products/ps11100/prod_installation_guides_list.html

Per the encryption of secrets such as passwords at rest in the database, this is done using an environment-specific key.  So you cannot just lift the database and expect to get at the data.  This creates some issues for getting a complete backup for disaster recovery.  See the "Managing High Availability and Resiliency" chapter in the 3.0 user's guide.  In prior releases this was in a separate resiliency guide. Encryption uses Microsoft security APIs, same as storage of Windows service passwords. In addition to this, these secrets are never displayed or logged within the product.  See the runtime users and hidden strings concepts in the 3.0 user's guide.

My recollection is that unlike the northbound web service and web UI, the client to server communication is encrypted even without the use of SSL, but I'll leave that for someone else to add details on.

View solution in original post

Correction to the reply on #1.

Shaun Roberts answer is accurate for Northbound Web Service, which explicitly supports HTTP and HTTPS.

Connections between client (main console) and server are already secure, out of the box. The connection uses WS HTTP Binding for communication which "implements the following specifications: WS-Reliable Messaging for reliability, and WS-Security for message security and authentication. The transport is HTTP, and message encoding is text/XML encoding." (from Microsoft documentation)

All messages between client and server are encrypted and the end user cannot configure them to be NOT encrypted.

View solution in original post

4 Replies 4

Shaun Roberts
Cisco Employee
Cisco Employee

1) you can use SSL for the connection from client to server, you would need to setup a SSL cert on the server and change the port in the server configuration file. (I know there is information in the Northbound Web Services guide as a start, but it's really just about setting up a cert and then change the port and it to https)

2) Yes, all passwords are encrypted into the DB. If you need to know more exacts, please open a TAC case. I'm not sure how much information development would give out, but it would have to be through secure channels.

--shaun

--Shaun Roberts
Principal Engineer, CX
shaurobe@cisco.com

Correction to the reply on #1.

Shaun Roberts answer is accurate for Northbound Web Service, which explicitly supports HTTP and HTTPS.

Connections between client (main console) and server are already secure, out of the box. The connection uses WS HTTP Binding for communication which "implements the following specifications: WS-Reliable Messaging for reliability, and WS-Security for message security and authentication. The transport is HTTP, and message encoding is text/XML encoding." (from Microsoft documentation)

All messages between client and server are encrypted and the end user cannot configure them to be NOT encrypted.

Von Jones
Level 4
Level 4

You will want to add an SSL certificate to the northbound web service should you use it.  The web services guide I think has this information: http://www.cisco.com/en/US/customer/products/ps11100/products_user_guide_list.html

Configuring Role-based security is in the user's guide at the link above.

There is information in the install guide online regarding hardening the PO servers.

http://www.cisco.com/en/US/customer/products/ps11100/prod_installation_guides_list.html

Per the encryption of secrets such as passwords at rest in the database, this is done using an environment-specific key.  So you cannot just lift the database and expect to get at the data.  This creates some issues for getting a complete backup for disaster recovery.  See the "Managing High Availability and Resiliency" chapter in the 3.0 user's guide.  In prior releases this was in a separate resiliency guide. Encryption uses Microsoft security APIs, same as storage of Windows service passwords. In addition to this, these secrets are never displayed or logged within the product.  See the runtime users and hidden strings concepts in the 3.0 user's guide.

My recollection is that unlike the northbound web service and web UI, the client to server communication is encrypted even without the use of SSL, but I'll leave that for someone else to add details on.

STOps9487
Level 1
Level 1

Thanks Team!

Collectively, that's all my questions answered.

Review Cisco Networking for a $25 gift card