Determining a Security Mode Between Components

You must determine a security mode for communication between your infrastructure components. The security mode of connected producers and consumers must be the same across all components.

The secure communication described applies only in the context of the components that relate to the OpenText container-based application you are using, which is specified in that application's documentation.

When possible, configure the OpenText components with the security mode you intend to use before connecting them to additional ArcSight Platform products.

To enhance security, you can configure TLS Client Authentication between components that do not utilize client username and password authentication, such as producers and consumers connecting to Transformation Hub. With TLS Client Authentication enabled, the client and the server authenticate each other to ensure that both parties involved in the communication are trusted.

Changing the Allow Plain Text, TLS Client Authentication, or FIPS-compliant TLS settings after the deployment will necessitate system downtime.

OpenText product documentation for ArcSight products in the table is available from the OpenText support community.

Unless otherwise indicated in the table below, the ArcSight Platform and the capabilities that deploy to it, communicate with each other using TLS with authentication performed in a manner appropriate for the component.

Product	Preparations Needed	TCP Ports	Supported Security Modes
Standalone ArcMC	Be sure to use v2.9.5 or later. Install ArcMC before the Platform installation.	443 32080	TLS FIPS-Compliant TLS TLS Client Authentication
SmartConnectors and Collectors	You can install and run SmartConnectors and ArcMC onboard connectors before you install the Platform. Or, you can install them after you deploy the Platform. FIPS mode setup is not supported between SmartConnector v7.5 and the Platform. Only TLS and TLS Client Authentication are supported. FIPS mode is supported between Connectors v7.6 and later and the Platform.	9092 (Plain Text) 9093 (TLS)	TLS FIPS-Compliant TLS (SC 7.6+ only) TLS Client Authentication Plain text
ArcSight ESM	You can install and run ESM before you install the Platform. You can change compact mode ESM from TLS to FIPS-compliant TLS after you install ESM. Changing compact mode ESM from FIPS-compliant TLS to TLS requires reinstalling ESM. In distributed mode, the ESM security mode is set at installation time. Any change between TLS and FIPS-compliant TLS requires reinstalling ESM.	9092 (Plain Text) 8443	TLS in ESM Administrator's Guide FIPS-Compliant TLS TLS Client Authentication
ArcSight Logger	You can install and run Logger before you install the Platform.	9092 (Plain Text) 9093 (TLS)	TLS FIPS-Compliant TLS TLS Client Authentication Plain text
ArcSight Database	You install the ArcSight Database before the Platform.	9092 (Plain Text) 9093 (TLS)	Plain text TLS TLS Client Authentication FIPS-Compliant TLS
NFS Server	For optimal security, secure all NFS settings to allow only required hosts to connect to the NFS server.	2049	Plain text
Web Browser	By default, TLS is enabled.	443 5443 3000	TLS
ArcSight Intelligence (HDFS)	Secure HDFS for Intelligence.	30070 (HDFS master) 30820 (HDFS master) 30010 (HDFS datanode) 30210 (HDFS datanode)	TLS FIPS-Compliant TLS TLS Client Authentication Plain Text