Security settings in the Appliance

Contents

Security settings in the Appliance

Overview

The Appliance uses standard mechanisms for authentication and security:

  • Connections to the CLI of the Appliance are established through OpenSSH, which is the SSH implementation installed in the operating system of the Appliance.
  • Connections to the Portal are managed by the security layer of the underlying Java implementation.
  • Connections to the Web Console and the Web API of the Engine are encrypted and authenticated with TLS.

Starting from V6.17, the Appliance hardening ensures that the ciphers and algorithms negotiated by the security protocols in the Appliance are currently considered strong. Starting from V6.20, the Web Console admits TLS 1.2 only.

Legacy browsers still in use within your organization may require though the use of protocols, ciphers and algorithms that are no longer considered secure. Nexthink recommends that you update your software so that it implements the latest security mechanisms. Nevertheless, in case that you cannot easily replace your legacy browsers, find below how to configure the Portal and the Engine to support security protocols that are not strong enough to be enabled by default.

Portal secure protocols and ciphers

By default, the Portal supports TLS 1.1 and TLS 1.2 as security protocols. Most modern browsers and operating systems are able to use these protocols to secure their communications over the Internet. Associated to these protocols, the Portal also supports a default set of cipher suites (considered strong) to negotiate the security settings of a connection.

However, users of Internet Explorer in either Windows Vista or Windows XP, for instance, are limited to TLS 1.0. Therefore, if you want the Portal to support TLS 1.0, you must add it to the list of supported protocols in the configuration file of Nginx, the reverse proxy component of the Portal that handles the connections.

To change the supported protocols and cipher suites:

  1. Log in to the CLI of the Appliance hosting the Portal.
  2. Edit the SSL configuration file of Nginx:
    sudo vi /var/nexthink/nxnginx/conf.d/ssl.conf.overrides
  3. Type in the names of the supported protocols and cipher suites in the entries:
    • ssl_protocols
    • ssl_ciphers
  4. Save the file and exit by typing:
    :wq
  5. Restart Nginx:
    sudo systemctl restart nginx

For instance, these are the protocols and cipher suites supported by default:

ssl_protocols   TLSv1.1 TLSv1.2;
ssl_ciphers     "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
                 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
                 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW
                 !3DES !MD5 !EXP !PSK !SRP !DSS";

To support the protocol TLS 1.0 in addition to the default protocols TLS 1.1 and TLS 1.2, substitute the entry of included protocols for:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Conversely, to exclusively support TLS 1.2 for improved security, replace the entry by:

ssl_protocols TLSv1.2;

Specify the names of supported ciphers in the format understood by the OpenSSL library. See the full list of supported ciphers with the command:

openssl ciphers

Engine secure protocols and ciphers

To secure the communications through the Web API, the Engine supports by default both TLS 1.1 or TLS 1.2 and a set of ciphers considered strong. These security settings are also valid for the query interface with the Finder and the Portal, as well as for the LDAP and the Application Library clients.

The security settings are configurable in the ssl section of the configuration file /var/nexthink/engine/01/etc/nxengine.xml. If they are not specified, their configuration is equivalent to the following values:

<config>
   <engine>
      ...
      <ssl>
         <ciphers>ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256,
         ECDHE-RSA-AES256-SHA,ECDHE-RSA-AES128-SHA,DHE-RSA-AES256-GCM-SHA384,
         DHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-SHA,DHE-RSA-AES128-SHA,
         AES256-SHA,AES128-SHA</ciphers>
         <protocols>tlsv1.1,tlsv1.2</protocols>
      </ssl>
      ...
   </engine>
</config>

To configure a different set of supported ciphers and protocols, modify each element in the ssl section:

ciphers
List of ciphers supported by the Engine. Specify the names of the ciphers in the format accepted by openssl. Separate each supported cipher either by a colon ':' or a comma ',' delimiter. To see the list of all the available ciphers that you can choose from, log in to the CLI of the Engine and type: openssl ciphers.
protocols
List of supported protocols, separated by comma ',' delimiters.

For instance, to support old browsers, enable protocols SSL 3.0 and TLS 1.0:

<ssl>
<protocols>sslv3,tlsv1,tlsv1.1,tlsv1.2</protocols>
</ssl>

Note that there is no need to modify the ciphers, since these protocols can use AES256-SHA and AES128-SHA, which are allowed by default.

Web Console secure protocols and ciphers

The Web Console admits clients to connect only through TLS 1.2 by default.

To change the list of protocols and ciphers in the Web Console:

  1. Log in to the CLI of the Appliance that hosts the Web Console.
  2. Edit the configuration file of the web server that provides the communication to the Web Console:
    sudo vi /var/nexthink/console/etc/lighttpd.conf
  3. Locate in the file the line with the comment that indicates the start of the SSL section:
    #### SSL engine
  4. Replace the default settings by the desired protocols and ciphers. Use the options and syntax of the underlying Lighttpd web server.
  5. Save your changes and exit by typing:
    :wq
  6. Restart the Web Console:
    sudo systemctl restart nxconsole
The operations described in this article should only be performed by a Nexthink Engineer or a Nexthink Certified Partner.

If you need help or assistance, please contact your Nexthink Certified Partner.
Related references