For customers who need encryption in their top secret environment we recommend that you first install the manager and change the default policy for the cipher preferences to have only AES-256 in the list and to set the property DSM/common components/encryption/compatibility/pre_11_2 to "False".
As soon as the configuration change takes place at the agent on the manager system (that is, the configuration job has finished), it is safe to install additional scalability servers.
At the scalability server level you must check if the cipher list was spread out by typing the commands:
ccnfcmda -cmd GetParameterValue -psitrm/common/encryption/cipherpreferences -pncipher0
ccnfcmda -cmd GetParameterValue -psitrm/common/encryption/cipherpreferences -pncipher1
ccnfcmda -cmd GetParameterValue -psitrm/common/encryption/cipherpreferences -pncipher2
ccnfcmda -cmd GetParameterValue -psitrm/common/encryption/cipherpreferences -pncipher3
Cipher 0 should contain AES-256, the other ciphers should be empty. This could be done at manager level or agent level to check if the cipher configuration has already arrived.
Now it is safe to install agents that point to that server. The agents will use AES-256 encryption for their communication right away.
As soon as the common configuration is spread out to agents, they also have only AES-256 in their cipher list and fail to communicate when contacted with any other cipher.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|