The various components of Sentinel communicate across the network, and there are different types of communication protocols used throughout the system. All of these communication mechanisms affect the security of your system.
Sentinel processes include the Sentinel server, Correlation Engine, and Collector Manager. They communicate with each other by using ActiveMQ.
The communication between these server processes is by default over SSL via the ActiveMQ message bus. The processes use SSL by reading the following information in /etc/opt/novell/sentinel/config/configuration.xml:
<jms brokerURL="failover://(ssl://localhost:${activemq.port.userapps}?wireFormat.maxInactivityDuration=30000)?randomize=false" interceptors="compression" keystore="${esecurity.config.home}/etc/opt/novell/sentinel/config/.activemqclientkeystore.jks" keystorePassword="password" password-file="${esecurity.config.home}/etc/opt/novell/sentinel/config/activemqusers.properties" username="system"/>
The jms strategy shown in this XML snippet defines how the Sentinel process connects to the server. This snippet defines the client-side settings of the connection.
Table 4-1 XML Entries in the configuration.xml File
XML Entry |
Description |
---|---|
ssl:// |
Indicates that SSL is used for secure connection. You should not modify this value. |
localhost |
The hostname or IP address where the Java message service (JMS) server is running. |
61616 |
The port that the JMS server is listening on. |
?wireFormat.maxInactivityDuration=0&jms.copyMessageOnSend=false |
This is where ActiveMQ configuration parameters are passed to the transport mechanism. These entries should be modified only if you are an expert in ActiveMQ. |
interceptors="compression" |
Enables compression over the connection. You should not modify this value. |
keystore="/etc/opt/novell/sentinel/config/.activemqclientkeystore.jks" |
The path to the Java keystore, which is used to check if the server is trusted. |
keystorePassword="password" |
The password to the Java keystore file. |
password="1fef3bcdd3fbcbc5cd795346a9f04ddc" |
The password to present to ActiveMQ for authenticating the connection. This corresponds to a password in the /etc/opt/novell/sentinel/config/activemqusers.properties file. |
username="system" |
The username to present to ActiveMQ for authenticating the connection. This corresponds to a username in the /etc/opt/novell/sentinel/config/activemqusers.properties file. |
The server-side settings are defined in the /etc/opt/novell/sentinel/config/activemq.xml file. For instructions on how to edit the activemq.xml file, see the ActiveMQ Web site. However, NetIQ does not support modifying of the server-side settings.
The Sentinel Control Center and Solution Designer client applications use SSL communication through the SSL proxy server by default.
The client applications uses SSL by reading the following information in /etc/opt/novell/sentinel/config/configuration.xml:
<strategy active="yes" id="proxied_client" location="com.esecurity.common.communication.strategy.proxystrategy.ProxiedClientStrategyFactory"> <transport type="ssl"> <ssl host="10.0.0.1" port="10013" keystore="./novell/sentinel/.proxyClientKeystore" /> </transport> </strategy>
The protocol used for communication between the server and the database is defined by a JDBC driver.
Sentinel uses the PostgreSQL driver (postgresql-version.jdbc3.jar) to connect to the PostgreSQL database, which is a Java (Type IV) implementation. This driver supports encryption for data communication. To download the driver, refer to the PostgreSQL Download Page. To configure the encryption, refer to PostgreSQL Encryption Options.
NOTE:Turning encryption on has a negative impact on the performance of the system. Therefore, this security concern needs to be weighed against your performance needs. The database communication is not encrypted by default for this reason. Lack of encryption is not a major concern because communication with the database occurs over the localhost network interface.
The Web server is by default configured to communicate via HTTPS. For more information, see the Jetty documentation.
You can configure the PostgreSQL SIEM database to allow connections from any client machine that uses pgAdmin or another third-party application.
The PostgreSQL database is compiled with the --with-openssl flag. You can configure it to use encrypted communication, although that is not the default setting. Typically all database communication in Sentinel is performed locally and not over the network.
To allow pgAdmin to connect from any client machine, add the following line in the /var/opt/novell/sentinel/3rdparty/postgresql/data/pg_hba.conf file:
host all all 0.0.0.0/0 md5
If you want to limit the client connections that are allowed to run and connect to the database through pgAdmin, specify the IP address of the host in the above line. The following line in the pg_hba.conf file is an indicator to PostgreSQL to accept connections from the local machine so that pgAdmin is allowed to run only on the server.
host all all 127.0.0.1/32 md5
To allow connections from other client machines, you can add additional host entries in the pg_hba.conf file.
To provide maximum security, by default, PostgreSQL only allows connections from the local machine.