The domain managers have the capability to communicate over many transport protocols. Smarts and Watch4net supports 1.0, 1.1 and 1.2 versions of TLS (Transport Layer Security). SSLv3 is strictly not allowed due to security vulnerabilities such as the POODLE vulnerability.
The latest version uses TLSv1.2, while some of the past versions used TLSv1.1 and TLSv1.0. Before that, client server interaction was done over proprietary implementations of some of the popular cryptographic protocols such as Diffie-Hellman key exchange, AES, and so on, as well as in "cleartext" mode (with no encryption). For enhanced security, the user should configure to choose the most secure protocols and disable the weak protocols, keeping backward compatibility in mind. This can be achieved by using a combination of the following environment variables:
- SM_TLS_PROTOCOLS
- Configure which versions of TLS protocols to allow and disallow. Without this flag, only TLS1.2 is allowed. For example, only to illustrate the point and recommend a configuration, SM_TLS_PROTOCOLS=-TLSv1.2,+TLS1.0,+TLS1 will disallow TLS1.2 and allow TLSv1.1 and TLSv1.0.
- SM_ALLOW_LEGACY_CRYPTO
- Set this environment variable to TRUE to allow communication in non-FIPS mode using the proprietary protocols. Without this flag, all proprietary protocols including cleartext mode are disabled. Once enabled, it is possible to choose different levels of security within the set of proprietary protocols using the SM_INCOMING_PROTOCOL and SM_OUTGOING_PROTOCOL environment variables. The System Administration Guide provides details on these protocols. This setting has no effect in FIPS mode since the proprietary protocols are strictly disabled in FIPS mode.
- SM_TLS_SUITE_LIST
- A colon-separated list of the cipher suites that are allowed in TLS communication. A cipher suite is a suite of cryptographic algorithms used to provide encryption, integrity and authentication. This environment variable needs to be used only if some vulnerability is found on some cryptographic function, which must be disabled. By default, supports many cipher suites. The current preferred cipher suite uses RSA algorithm for Key-Exchange, RSA algorithm for Signature, AES-GCM(256) for encryption and SHA384 for message digest. The supported list of cipher suites, and the order in which they are prioritized, may change with each release. Contact customer support to get information on other supported cipher suites.
As of release 9.4, the following environment variables are set by default in new product installations in the BASEDIR/smarts/local/conf/runcmd_env.sh file:
- SM_ALLOW_LEGACY_CRYPTO=TRUE
- SM_TLS_PROTOCOLS=+TLSv1.1
Depending on your deployment, ensure that the BASEDIR/smarts/local/conf/runcmd_env.sh file includes the environment variables, SM_TLS_PROTOCOLS and SM_ALLOW_LEGACY_CRYPTO.
Use SM_TLS_PROTOCOLS set to the +TLSv1.1 value only if you need to interoperate with products based on Foundation 9.0.0.0 Build 1345 through 9.2.x.
Use SM_ALLOW_LEGACY_CRYPTO set to TRUE only if you need to interoperate with products based on Foundation versions prior to 9.0.0.0 Build 1345 and if your deployment includes EMC M&R.
