Ict Qa 27v9s Slides

2014 IBM Corporation
IBM License Metric Tool 9.x & Software Use Analysis 9.x Security
27th Questions & Answers
Version 1.0.1
This is the 27th Q&A event prepared by the IBM License Metric Tool Central
Team (ICT)
Currently we focus on version 9.x of IBM License Metric Tool (ILMT)
The content of todays session also applies to Software Use Analysis (SUA)
in version 9.x
The session is for all ILMT users IBMers, Business Partners and Customers
The teleconference is set to mute. Use the web conference chat to
communicate with the ILMT subject matter experts
The presentation is recorded and will be available to watch on the ILMT
YouTube channel as well as to download from the ILMT Wiki soon
ICT: LMTHelp@us.ibm.com
Created by ILMT Central Team
Version 1.0.1
LMTHelp@us.ibm.com
https://ibm.biz/ILMT_Forum
https://ibm.biz/ILMT_Wiki
https://ibm.biz/ILMT_YouTube
https://ibm.biz/ILMT_Twitter
https://ibm.biz/ILMT_LinkedIn
Version 1.0.1
Flow of data
Configuring secure communication
Federal Information Processing Standard (FIPS)
Standard 140-2
Recommendation SP 800-131
Managing a certificate
Existing certificate authority (CA)
Private certificate authority
Authenticating users with Lightweight Directory Access

Protocol (LDAP)
Demo
Questions & Answers
Survey
Version 1.0.1
Version 1.0.1
Version 1.0.1
Version 1.0.1
Version 1.0.1
Security Requirements
http://www-01.ibm.com/support/knowledgecenter/SSKLLW_9.1.0/com.ibm.tivoli.tem.doc_9.1/Platform/Adm/c_security_requirements.html
Security Configuration Scenarios
http://www01.ibm.com/support/knowledgecenter/SSKLLW_9.1.0/com.ibm.tivoli.tem.doc_9.1/Platform/Adm/c_scenarios_sha2_installation.html
Client Authentication
http://www01.ibm.com/support/knowledgecenter/SSKLLW_9.1.0/com.ibm.tivoli.tem.doc_9.1/Platform/Console/ClientAuthentication.html%23ClientAuthe
ntication
Managing Client Encryption
http://www01.ibm.com/support/knowledgecenter/SSKLLW_9.1.0/com.ibm.tivoli.tem.doc_9.1/Platform/Config/c_managing_client_encryption.html
10
Version 1.0.1
Version 1.0.1
A digital certificate is a signed public key that is accompanied by information

about the key owner
The public key always has a private key that is associated with it
The License Metric Tool server can use SSL if the server possesses both the
certificate and the private key that is associated with it
Security of your access to the web console of License Metric Tool depends on
the security of the digital certificate, and its private key, that the server uses
for protecting the communication
By default, SSL is enabled on the server,
however, the initial configuration is based on
a temporary self-signed certificate and is not
intended to be used in the production
environment
The initial certificate should be replaced with
a server certificate that is signed by a
certificate authority (CA) that you trust
11
12
Version 1.0.1
Version 1.0.1
Federal Information Processing Standards

(FIPS) are standards and guidelines that
are issued by the National Institute of
Standards and Technology (NIST) for
federal government computer systems
You can configure License Metric Tool to
be compliant with the Federal
Information Processing Standard
requirements that are related to
encryption
http://csrc.nist.gov/
13
Version 1.0.1
FIPS 140-2 is the standard that defines the security requirements for
cryptographic modules that are used within a system that handles
sensitive but unclassified information
Compliance with the FIPS 140-2 has two aspects that affect ILMT
the algorithms that are used to
manage sensitive data must be
FIPS-approved
FIPS-approved implementation
must be used when data
is transmitted with the SSL/TLS
http://csrc.nist.gov/publications/PubsFIPS.html
14
Version 1.0.1
IBM License Metric Tool 9.0 uses the FIPS 140-2 approved
cryptographic providers for cryptography:
IBMJCEFIPS (certificate 376)
IBMJSSEFIPS (certificate 409)
IBM Crypto for C (ICC) (certificate 384)
http://csrc.nist.gov/publications/PubsFIPS.html
15
Version 1.0.1
At the start of the 21st century, the National Institute of

Standards and Technology (NIST) began the task of
providing cryptographic key management guidance,
which includes defining and implementing appropriate
key management procedures, using algorithms that
adequately protect sensitive information, and planning
ahead for possible changes in the use of cryptography
because of algorithm breaks or the availability of more
powerful computing techniques
NIST Special Publication (SP) 800-57, Part 1 was the
first document produced in this effort, and includes a
general approach for transitioning from one algorithm
or key length to another
This Recommendation (SP 800-131A) provides more
specific guidance for transitions to the use of stronger
cryptographic keys and more robust algorithms
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
16
Version 1.0.1
SP 800-131 requires longer key lengths and stronger cryptography

The SP 800-131 specification also provides a transition configuration to
enable users to move to a strict enforcement of SP 800-131
The transition configuration also enables users to run with a mixture of
settings from both FIPS140-2 and SP 800-131
SP 800-131 can be run in two modes
transition
strict
The transition mode is offered to give you
a setting to move your environment to
SP 800-131 strict mode
In transition mode, it is optional to use

the SP800-131 required certificates and
to set the protocol to SP 800-131
17
Version 1.0.1
The following requirements must be fulfilled to allow for the strict

enforcement of SP 800-131:
The use of the TLS version 1.2 protocol for the Secure Sockets Layer
(SSL) context
Certificates must have a minimum length of 2048 bytes. An Elliptic Curve
(EC) certificate requires a minimum size of 244-bit curves
Certificates must be signed with a signature algorithm of SHA256,
SHA384, or SHA512
Valid signature algorithms include:
SHA256 with RSA
SHA384 with RSA
SHA512 with RSA
SHA256 with ECDSA
SHA384 with ECDSA
SHA512 with ECDSA
SP 800-131 approved cipher suites
18
Version 1.0.1
IBM License Metric Tool profile gives setup possibility to meet the SP
800-131 requirement that is originated by the National Institute of
Standards and Technology
You can configure License Metric Tool to run in SP 800-131 strict or
transition mode
19
Version 1.0.1
When you configure security settings, ensure that the combination of security
modes that you set up on the side of Endpoint Manager and License Metric
Tool is supported
Legend:
- the mode is enabled

ANY - the mode is either enabled or disabled
20
21
Version 1.0.1
Version 1.0.1
The self-signed certificate that is provided with License Metric Tool is not
intended to be used in the production environment
Replace it with a certificate that is signed by a certificate authority (CA) of
your choice
To have a certificate, you need to generate a private key, a public key, and a
certificate signing request (CSR) that is associated with the public key
Next, a certificate authority must sign this request and there are two ways to
get a certificate signing request signed:
send it to an existing certificate authority, e.g.
Entrust
Verisign
CA of your organization
create a private CA
22
Version 1.0.1
Existing certificate authority (CA)
You can use an existing CA to sign your certificate signing request (CSR)
The root certificates of popular CAs are imported into new web browsers
by default
Private certificate authority
You can create a private CA and use it for signing the CSR
A private CA can be created on any computer with an operating system
that supports openSSL
23
24
Version 1.0.1
Version 1.0.1
Lightweight Directory Access Protocol (LDAP) is a set of client/server

protocols for accessing and managing information directories
LDAP supports TCP/IP protocol for communication and uses simple
string formats for data transfer
LDAP is cross-platform and standards-based, therefore applications
do not need to worry about the type of server hosting the directory
LDAP is a simplified variation of X.500 Directory Access Protocol
25
Version 1.0.1
IBM License Metric Tool (ILMT) 9.0 supports authentication

through a Lightweight Directory Access Protocol (LDAP) server
ILMT server configuration consists of a few steps:
26
Creation of a directory that the application would link to

Creation a user that would link to the created directory
Users integration with ILMT using the LDAP protocol
Integrating users with Web Reports
27
Version 1.0.1
28
Version 1.0.1

Ict Qa 27v9s Slides

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ict Qa 27v9s Slides

Uploaded by

Copyright:

Available Formats

2014 IBM Corporation

Created by ILMT Central Team

2014 IBM Corporation

Created by ILMT Central Team

2014 IBM Corporation

Authenticating users with Lightweight Directory Access

Created by ILMT Central Team

2014 IBM Corporation

Created by ILMT Central Team

2014 IBM Corporation

Created by ILMT Central Team

2014 IBM Corporation

Created by ILMT Central Team

2014 IBM Corporation

Created by ILMT Central Team

2014 IBM Corporation

Security Configuration Scenarios

Managing Client Encryption

Created by ILMT Central Team

2014 IBM Corporation

Created by ILMT Central Team

2014 IBM Corporation

A digital certificate is a signed public key that is accompanied by information

Created by ILMT Central Team

2014 IBM Corporation

Created by ILMT Central Team

2014 IBM Corporation

Federal Information Processing Standards

Created by ILMT Central Team

2014 IBM Corporation

Created by ILMT Central Team

2014 IBM Corporation

Created by ILMT Central Team

2014 IBM Corporation

At the start of the 21st century, the National Institute of

Created by ILMT Central Team

2014 IBM Corporation

SP 800-131 requires longer key lengths and stronger cryptography

In transition mode, it is optional to use

Created by ILMT Central Team

2014 IBM Corporation

The following requirements must be fulfilled to allow for the strict

Created by ILMT Central Team

2014 IBM Corporation

Created by ILMT Central Team

2014 IBM Corporation

- the mode is enabled

Created by ILMT Central Team

2014 IBM Corporation

Created by ILMT Central Team

2014 IBM Corporation

Created by ILMT Central Team

2014 IBM Corporation

Existing certificate authority (CA)

Private certificate authority

Created by ILMT Central Team

2014 IBM Corporation

Created by ILMT Central Team

2014 IBM Corporation

Lightweight Directory Access Protocol (LDAP) is a set of client/server

Created by ILMT Central Team

2014 IBM Corporation

IBM License Metric Tool (ILMT) 9.0 supports authentication

Creation of a directory that the application would link to