Various components of Sentinel communicate across the network, and there are different types of communication protocols used throughout the system. All of these communication mechanisms affect the security of your system.
The communication between Sentinel server, Correlation Engine, and Collector Manager is by default over SSL through ActiveMQ. The processes use the following configuration information in the ${esecurity.config.home}/config/configuration.xml:
<jms brokerURL="failover://(ssl://${activemq.ip.server}:${activemq.port.userapps}?wireFormat.maxInactivityDuration=30000)?randomize=false" interceptors="compression" keystore="${esecurity.config.home}/config/.activemqclientkeystore.jks" keystorePassword="${sentinel.keystore.password}" password-file="${esecurity.config.home}/config/activemqusers.properties" username="${activemq.client.username}"/>
The jms strategy shown in this XML snippet defines how the Sentinel process connects to the server. This snippet defines the client-side settings of the connection.
Table 3-1 XML Entries in the configuration.xml File
XML Entry |
Description |
---|---|
ssl:// |
Indicates that SSL is used for secure connection. You should not modify this value. |
${activemq.ip.server} |
The hostname or IP address where the Java message service (JMS) server is running. |
${activemq.port.userapps} |
The port that the JMS server is listening on. The default value is 61616. |
?wireFormat.maxInactivityDuration=30000)?randomize=false" |
This is where ActiveMQ configuration parameters are passed to the transport mechanism. These entries should be modified only if you are an ActiveMQ expert. |
interceptors="compression" |
Enables compression over the connection. You should not modify this value. |
keystore="${esecurity.config.home}/config/.activemqclientkeystore.jks" |
The path to the Java keystore that is used to check if the server is trusted. |
keystorePassword="${sentinel.keystore.password}" |
The password to the Java keystore file. |
password-file="${esecurity.config.home}/config/activemqusers.properties" |
The location of the file containing the password to present to ActiveMQ for authenticating the connection. |
username="${activemq.client.username}" |
The user name to present to ActiveMQ for authenticating the connection. This corresponds to a ActiveMQ user name in the password-file. |
The server-side settings are defined in the <sentinel_installation_path>/etc/opt/novell/sentinel/config/activemq.xml file. For instructions about how to edit the activemq.xml file, see the ActiveMQ Web site. However, modifying of the server-side settings is not supported.
The Sentinel Control Center and Solution Designer client applications use SSL communication through the SSL proxy server by default.
The client applications use SSL by reading the following information in <sentinel_installation_path>/etc/opt/novell/sentinel/config/configuration.xml:
<strategy active="yes" id="proxied_client" location="com.esecurity.common.communication.strategy.proxystrategy.ProxiedClientStrategyFactory"> <transport type="ssl"> <ssl host="10.0.0.1" port="10013" keystore="./novell/sentinel/.proxyClientKeystore" /> </transport> </strategy>
Perform the following steps on Sentinel server, Collector Manager, and Correlation Engine:
Log in as the novell user.
Edit the /opt/novell/sentinel/jdk/jre/lib/security/java.security file.
Add TLSv1 to the list of disabled algorithms as follows:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, RC4, MD5withRSA, DH keySize < 768
Restart the Sentinel services.
IMPORTANT:If you are using Agent Manager for host-based data collection, you must use Agent Manager 8.2 and later and enable a higher version of TLS on the Agent Manager server. For steps to enable a higher version of TLS on the Agent Manager server, see Enabling Sentinel Agent Manager to Communicate using TLS 1.2.
The protocol used for communication between the server and the database is defined by a JDBC driver.
Sentinel uses the PostgreSQL driver to connect to the PostgreSQL database, which is a Java Type IV implementation. This driver supports encryption for data communication.
NOTE:Turning on encryption has a negative impact on the performance of the system. Therefore, this security concern needs to be weighed against your performance needs. The database communication is not encrypted by default for this reason. Lack of encryption is not a major concern because communication with the database occurs over the localhost network interface.
The web server is by default configured to communicate via HTTPS. For more information, see the Jetty documentation.
OpenSearch cluster nodes can be accessed by various clients. Sentinel provides a security plug-in that authenticates and authorizes access to OpenSearch. The plug-in uses either a SAML token or a whitelist for validation depending on how the clients connect. For more information about securing OpenSearch using this plug-in, see Configuring OpenSearch for Event Visualization in the Sentinel Installation and Configuration Guide.
You can configure the PostgreSQL SIEM database to allow connections from any client computer that uses pgAdmin or another third-party application.
The PostgreSQL database is compiled with the --with-openssl flag. You can configure it to use encrypted communication, although that is not the default setting. Typically all database communication in Sentinel is performed locally and not over the network.
To allow pgAdmin to connect from any client computer, add the following line in the /var/opt/novell/sentinel/3rdparty/postgresql/data/pg_hba.conf file:
host all all 0.0.0.0/0 md5
If you want to limit the client connections that are allowed to run and connect to the database through pgAdmin, specify the IP address of the host in the above line. The following line in the pg_hba.conf file is an indicator to PostgreSQL to accept connections from the local computer so that pgAdmin is allowed to run only on the server.
host all all 127.0.0.1/32 md5
To allow connections from other client computers, you can add additional host entries in the pg_hba.conf file.
To provide maximum security, by default, PostgreSQL only allows connections from the local computer.
From the 8.6 version of Sentinel, the in-built OpenSearch is bundled with an X-Pack security plug-in, out of the box. X-Pack plugin is an Elastic Stack extension that provides security and other capabilities. With this change, Sentinel now only communicates with OpenSearch (which is used to store alerts and event data) over SSL. Also, all the OpenSearch node-to-node cluster communications too are now mandated over SSL, thereby making the data transfer across OpenSearch nodes more secure. This enhanced security setting is now mandated from Sentinel 8.4.0.0 onwards and the users are expected to complete few manual steps like certificate configuration, as part of their install/upgrade process.For more information about securing communication with OpenSearch, see the Configuring OpenSearch for Event Visualization section