Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
790
Views
5
Helpful
2
Replies

JDBC questions for inter-ISE node traffic

Nadav
Level 7
Level 7

‎12-02-2018 07:20 AM - edited ‎12-11-2018 10:36 AM

Hi everyone,

 

I have a distributed installation of dedicated ISE 2.4 P4 nodes.

 

According to the latest Installation Guide, the only JDBC traffic is between PAN and MnT on port TCP 1528 (Secure JDBC):

https://www.cisco.com/c/dam/en/us/td/i/400001-500000/420001-430000/425001-426000/425863.jpg

 

According to this community thread, all traffic between nodes (except syslog where encryption is optional) is necessarily encrypted:

https://community.cisco.com/t5/identity-services-engine-ise/ise-encryption-questions/td-p/3419460

 

However, in my distributed installation I can clearly see no TCP 1528 traffic has flowed between any of the nodes. On the other hand, there is plenty of TCP 1521 (JDBC) traffic between all nodes to MnT and not just the PAN's as the Installation Guide would have us believe.

 

Wireshark shows the communication between the different nodes and the MnT node, which doesn't appear encrypted. For example I could see several SQL select statements (and their result sets!), and the connection is performed as "(Protocol=tcp)" rather than "(Protocol=tcps)". According to the following link, "tcps" must be configured for encryption:

https://www.oracle.com/technetwork/database/enterprise-edition/wp-oracle-jdbc-thin-ssl-130128.pdf

 

1) Can someone explain the installation guide port discrepancies (no TCP 1528, only TCP 1521 and between several nodes)? 

 

2) Is my analysis of JDBC being unencrypted valid? Is this addressed in future releases?

 

3) Can someone account for what traffic is passed via the JDBC calls (in general)? I can't find it in any of the documentation.

 

Thanks in advance, I know this thread is a bit long :)

 

Edit 1: This behaviour persists in ISE 2.4 Patch 5 as well.

 

Edit 2 (Dec. 2nd 2018): Has anyone replicated the issue on their system?  (Unencrypted JDBC traffic from all servers to MnT). 

It's quite a serious issue considering we were told that all traffic between nodes is secure.

 

Edit 3 (Dec. 11th 2018): 

Can someone please weigh in on this matter? All JDBC connections are being performed from all primary and secondary nodes to the MnT nodes (as opposed to documentation which only speaks of PAN to MnT), and all that traffic is in cleartext (as opposed to documentation and previous forum posts stating that it is encrypted).

 

I can see no open issues on the bug tracker regarding any of this. 

0 Helpful
2 Replies 2

Surendra
Cisco Employee
Cisco Employee

‎12-03-2018 01:57 PM

1) The picture does not seem to show 1528. I see 1521. It used to show and was resolved in CSCvj88310.
2) ISE uses HTTPS over TCP 1521 and this traffic should be encrypted by default and should be passed inside the TLS tunnel. Did you by any chance run wireshark with decrypted traffic using private keys?
3) In general most of them would be queries that are a result of a configuration change on the primary admin node and also the queries ISE makes to get data from the MnT node to display Logs/Reports.

Nadav
Level 7
Level 7
In response to Surendra

‎12-03-2018 02:27 PM

1) It showed 1528 beforehand, good to see someone else spotted it and opened a case.

2) No private keys, I just captured any tcp traffic between dedicated nodes to dedicated MnT. The port reference shows that only PAN to MnT traffic has JDBC but I've seen it from other personas as well. And it is definitely unencrypted since I can see SQL statements go back and forth with results. If you were to do a packet capture for TCP 1521 between PSN's to MnT, and then reset the PSN, you can see how the session is set up from scratch.

3) Thanks, it's good to document these things.

0 Helpful
Customers Also Viewed These Support Documents