Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1571
Views
15
Helpful
3
Replies

ISE Encryption Questions

Go to solution
Wade Vick
Cisco Employee
Cisco Employee

‎12-12-2016 11:28 AM

I have some questions about the traffic flows for ISE and encryption.

Source : All ISE Nodes

Destination : All ISE Nodes

Port : TCP 12001

Purpose : ISE Configuration replication

Question : Is this over TLS?

Source : All ISE Nodes

Destination : All ISE Nodes

Port : TCP 7802

Purpose : ISE Configuration replication

Question : Is this over TLS?

Source : Admin&Mon

Destination : Admin&Mon

Port : TCP 1528

Purpose :  Oracle DB (Secure JDBC)

Questions : Is this over TLS? Need to understand what "secure" means.

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎12-12-2016 04:31 PM

JGroups communications over TCP/12001 (global JGroup channel) and TCP/7800 and 7802 (Local JGroup Cluster) all occur over TLS 1.2.  Oracle communications over JDBC are also secured via TLS.  All current (patched) versions of ISE should address current SSL vulnerabilities including the use of TLS to secure internode communications.  Depending on the service, there are some options to deliberately allow weaker protocols and ciphers for backwards compatibility, for example TLS 1.0 or SHA-1 user, but default should be secure (disallow SSL).

/Craig

View solution in original post

3 Replies 3

Go to solution
Craig Hyps
Level 10
Level 10

‎12-12-2016 04:31 PM

JGroups communications over TCP/12001 (global JGroup channel) and TCP/7800 and 7802 (Local JGroup Cluster) all occur over TLS 1.2.  Oracle communications over JDBC are also secured via TLS.  All current (patched) versions of ISE should address current SSL vulnerabilities including the use of TLS to secure internode communications.  Depending on the service, there are some options to deliberately allow weaker protocols and ciphers for backwards compatibility, for example TLS 1.0 or SHA-1 user, but default should be secure (disallow SSL).

/Craig

Go to solution
Nadav
Level 7
Level 7
In response to Craig Hyps

‎11-02-2018 08:27 AM

Hi, 

 

Sorry to wake up an old thread, but which certs are used for the encryption? The certs imported as part of adding the nodes to the primary PAN?

 

If I wanted to use my own certs from a private CA, is there a guide for this?

 

Thanks!

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Nadav

‎11-03-2018 10:16 AM

The certificates designated with the usage "Admin".

Customers Also Viewed These Support Documents