How do I update the supported NFM-P TLS versions and ciphers?

Purpose
CAUTION 

CAUTION

Service Disruption

Updating the TLS version and cipher support requires a complete NFM-P system shutdown, which creates a network management outage.

Perform the procedure only during a scheduled maintenance period of sufficient duration with the guidance of technical support.

Outdated TLS versions or ciphers present a security risk. Perform this procedure to update the lists of supported TLS versions and ciphers in an NFM-P system.

Note: An NFM-P system upgrade replaces the current TLS version and cipher support settings with the defaults for the new release. After an upgrade, you may need to reconfigure the settings.

Note: You require the following user privileges:

  • on each main, auxiliary, and NSP analytics server station — root, nsp

  • on each NSP Flow Collector station — root

  • on each main database station — root, Oracle management user

Note: The Oracle management user and group names are specified during database installation; the default is ‘oracle’ in the ‘dba’ group.

Note: The following RHEL CLI prompts in command lines denote the active user, and are not to be included in typed commands:

  • # —root user

  • bash$ —nsp, Oracle management users

Steps
Prepare new cipher and TLS files
 

Log in to the standalone or primary NFM-P main server station as the nsp user.


Enter the following:

bash$ cd /opt/nsp/nfmp/server/nms/bin/security_management/ssl ↵


Enter the following to create the default cipher list file:

bash$ ./ciphers_and_tls_update.bash create -cdc default-ciphers-file ↵


Enter the following to create the default TLS list file:

bash$ ./ciphers_and_tls_update.bash create -cdt default-TLS-file ↵


Enter the following to copy the default ciphers file to a new file:

bash$ cp default-ciphers-file new_ciphers_file ↵

where new_ciphers_file is the name to assign to the new ciphers file


Open new_ciphers_file using a plain-text editor such as vi.


Edit the file to remove any unsupported ciphers.


Save and close the file.


Enter the following to copy the default TLS file to a new file:

bash$ cp default-TLS-file new_TLS_file ↵

where new_TLS_file is the name to assign to the new TLS file


10 

Open new_TLS_file using a plain-text editor such as vi.


11 

Edit the file to remove any unsupported TLS versions.

Note: You must not remove TLSv1.2.

Note: TLSv1.0 and TLSv1.1 are deprecated in IETF RFC draft-ietf-tls-oldversions-deprecate-06.


12 

Save and close the file.


Distribute files to system components
 
13 

If the NFM-P system is redundant, distribute the required files to the standby main server station.

  1. Log in to the standby main server station as the root user.

  2. Enter the following:

    cd /opt/nsp/nfmp/server/nms/bin/security_management/ssl ↵

  3. Copy the following files from the primary main server station to the current directory:

    • /opt/nsp/nfmp/server/nms/bin/security_management/ssl/new_ciphers_file

    • /opt/nsp/nfmp/server/nms/bin/security_management/ssl/new_TLS_file


14 

If the system includes one or more auxiliary servers, distribute the required files to each auxiliary server station.

  1. Log in to the auxiliary server station as the root user.

  2. Enter the following:

    cd /opt/nsp/nfmp/auxserver/nms/bin/security_management/ssl ↵

  3. Copy the following files from the standalone or primary main server station to the current directory:

    • /opt/nsp/nfmp/server/nms/bin/security_management/ssl/new_ciphers_file

    • /opt/nsp/nfmp/server/nms/bin/security_management/ssl/new_TLS_file

  4. Enter the following:

    chown nsp:nsp new_ciphers_file

  5. Enter the following:

    chown nsp:nsp new_TLS_file


15 

If the system includes one or more NSP Flow Collectors or analytics servers, distribute the required files to each NSP Flow Collector station, and to each analytics server station.

  1. Log in to the station as the nsp user.

  2. Enter the following:

    bash$ mkdir /opt/nsp/cipher_update ↵

  3. Enter the following to switch to the root user

    su ↵

  4. Copy the following files from the standalone or primary main server station to the /opt/nsp/cipher_update directory:

    • /opt/nsp/nfmp/server/nms/bin/security_management/ssl/ciphers_and_tls_update.bash

    • /opt/nsp/nfmp/server/nms/bin/security_management/ssl/new_ciphers_file

    • /opt/nsp/nfmp/server/nms/bin/security_management/ssl/new_TLS_file

  5. Enter the following:

    chmod a+x /opt/nsp/cipher_update/ciphers_and_tls_update.bash ↵


16 

Distribute the required files to each main database station.

  1. Log in to the main database station as the Oracle management user.

  2. Enter the following:

    bash$ mkdir ~user/cipher_update ↵

    where user is the name of the Oracle management user

  3. Enter the following to switch to the root user:

    su ↵

  4. Copy the following files from the standalone or primary main server station to the ~user/cipher_update directory, where user is the name of the Oracle management user:

    • /opt/nsp/nfmp/server/nms/bin/security_management/ssl/ciphers_and_tls_update.bash

    • /opt/nsp/nfmp/server/nms/bin/security_management/ssl/new_ciphers_file

    • /opt/nsp/nfmp/server/nms/bin/security_management/ssl/new_TLS_file

  5. Enter the following:

    chown -R user:group ~user/cipher_update/ ↵

    where

    user is the Oracle management user name

    group is the Oracle management user group

  6. Enter the following:

    chmod a+x ~user/cipher_update/ciphers_and_tls_update.bash ↵

    where user is the Oracle management user name


Stop NFM-P system
 
17 

Close the open client sessions.

  1. Open an NFM-P GUI client using an account with security management privileges, such as admin.

  2. Choose Administration→Security→NFM-P User Security from the main menu. The NFM-P User Security - Security Management (Edit) form opens.

  3. Click on the Sessions tab.

  4. Click Search. The form lists the open GUI and XML API client sessions.

  5. Identify the GUI session that you are using based on the value in the Client IP column.

  6. Select all sessions except for the session that you are using.

  7. Click Close Session.

  8. Click Yes.

  9. Click Search to refresh the list and verify that only the current session is open.

  10. Close the NFM-P User Security - Security Management (Edit) form.

  11. Close the GUI.


18 

If the NFM-P system is redundant, stop the standby main server.

  1. Log in to the standby main server station as the nsp user.

  2. Open a console window.

  3. Enter the following:

    bash$ /opt/nsp/nfmp/server/nms/bin/nmsserver.bash stop ↵

    The main server stops.


19 

If the system includes one or more auxiliary servers, stop each auxiliary server.

  1. Log in to the auxiliary server station as the nsp user.

  2. Open a console window.

  3. Enter the following:

    bash$ /opt/nsp/nfmp/auxserver/nms/bin/auxnmsserver.bash auxstop ↵

    The auxiliary server stops.


20 

If the system includes one or more NSP analytics servers, stop each analytics server.

  1. Log in to the analytics server station as the nsp user.

  2. Open a console window.

  3. Enter the following:

    bash$ /opt/nsp/analytics/bin/AnalyticsAdmin.sh stop ↵

    The analytics server stops.


21 

If the system includes one or more NSP Flow Collector Controllers and Flow Collectors, stop each NSP Flow Collector Controller.

Note: If the NSP Flow Collector Controller is collocated on a station with an NSP Flow Collector, stopping the NSP Flow Collector Controller also stops the Flow Collector.

  1. Log in to the NSP Flow Collector Controller station as the nsp user.

  2. Open a console window.

  3. Enter the following:

    bash$ /opt/nsp/flow/fcc/bin/flowCollectorController.bash stop ↵

    The NSP Flow Collector Controller stops.


22 

If the system includes one or more NSP Flow Collectors that are not collocated on a station with a Flow Collector Controller, stop each such Flow Collector.

  1. Log in to the NSP Flow Collector station as the nsp user.

  2. Open a console window.

  3. Enter the following:

    bash$ /opt/nsp/flow/fc/bin/flowCollector.bash stop ↵

    The NSP Flow Collector stops.


23 

Stop the standalone or primary main server.

  1. Log in to the main server station as the nsp user.

  2. Open a console window.

  3. Enter the following:

    bash$ /opt/nsp/nfmp/server/nms/bin/nmsserver.bash stop ↵

    The main server stops.


24 

If the NFM-P system is redundant, stop the standby database proxy.

  1. Log in to the standby database station as the root user.

  2. Open a console window.

  3. Enter the following:

    systemctl stop nfmp-oracle-proxy.service ↵

    The database proxy stops.


25 

Stop the standalone or primary database proxy.

  1. Log in to the database station as the root user.

  2. Open a console window.

  3. Enter the following:

    systemctl stop nfmp-oracle-proxy.service ↵

    The database proxy stops.


Apply new cipher and TLS lists
 
26 

Perform the following steps on each main database station to apply the new TLS configuration.

  1. Log in as the Oracle management user.

  2. Enter the following:

    bash$ cd ~/cipher_update ↵

  3. Enter the following:

    Note: The -fo parameter is optional, and sets the cipher priority according to the order in the specified file. If the parameter is not included, the cipher priority is set to the default order.

    bash$ ./ciphers_and_tls_update.bash apply -c new_ciphers_file -t new_TLS_file -fo ↵

    where

    new_ciphers_file is the updated ciphers file

    new_TLS_file is the updated TLS file

    The script applies the new configuration, and backs up the previous configuration in the following file:

    ciphers_and_tls_backup.timestamp.tar.gz


27 

Perform the following steps on each main server station to apply the new TLS configuration.

  1. Log in as the nsp user.

  2. Enter the following:

    bash$ cd /opt/nsp/nfmp/server/nms/bin/security_management/ssl ↵

  3. Enter the following:

    Note: The -fo parameter is optional, and sets the cipher priority according to the order in the specified file. If the parameter is not included, the cipher priority is set to the default order.

    bash$ ./ciphers_and_tls_update.bash apply -c new_ciphers_file -t new_TLS_file -fo ↵

    where

    new_ciphers_file is the updated ciphers file

    new_TLS_file is the updated TLS file

    The script applies the new configuration, and backs up the previous configuration in the following file:

    ciphers_and_tls_backup.timestamp.tar.gz


28 

If the system includes one or more auxiliary servers, perform the following steps on each auxiliary server station to apply the new TLS configuration.

  1. Log in as the nsp user.

  2. Enter the following:

    bash$ cd /opt/nsp/nfmp/auxserver/nms/bin/security_management/ssl ↵

  3. Enter the following:

    Note: The -fo parameter is optional, and sets the cipher priority according to the order in the specified file. If the parameter is not included, the cipher priority is set to the default order.

    bash$ ./ciphers_and_tls_update.bash apply -c new_ciphers_file -t new_TLS_file -fo ↵

    where

    new_ciphers_file is the updated ciphers file

    new_TLS_file is the updated TLS file

    The script applies the new configuration, and backs up the previous configuration in the following file:

    ciphers_and_tls_backup.timestamp.tar.gz


29 

If the system includes one or more NSP Flow Collector Controllers, Flow Collectors, or analytics servers, perform the following steps on each NSP Flow Collector Controller, Flow Collector, and analytics server station to apply the new TLS configuration.

  1. Log in as the nsp user.

  2. Enter the following:

    bash$ cd /opt/nsp/cipher_update ↵

  3. Enter the following:

    Note: The -fo parameter is optional, and sets the cipher priority according to the order in the specified file. If the parameter is not included, the cipher priority is set to the default order.

    bash$ ./ciphers_and_tls_update.bash apply -c new_ciphers_file -t new_TLS_file -fo ↵

    where

    new_ciphers_file is the updated ciphers file

    new_TLS_file is the updated TLS file

    The script applies the new configuration, and backs up the previous configuration in the following file:

    ciphers_and_tls_backup.timestamp.tar.gz


Start NFM-P system
 
30 

Start the standalone or primary database proxy.

As the root user on the database station, enter the following:

systemctl start nfmp-oracle-proxy.service ↵

The database proxy starts.


31 

If the NFM-P system is redundant, start the standby database proxy.

As the root user on the standby database station, enter the following:

systemctl start nfmp-oracle-proxy.service ↵

The database proxy starts.


32 

Start the standalone or primary main server.

As the nsp user on the main server station, enter the following:

bash$ /opt/nsp/nfmp/server/nms/bin/nmsserver.bash start ↵

The main server starts.


33 

If the NFM-P system is redundant, start the standby main server.

As the nsp user on the standby main server station, enter the following:

bash$ /opt/nsp/nfmp/server/nms/bin/nmsserver.bash start ↵

The main server starts.


34 

If the system includes one or more auxiliary servers, start each auxiliary server.

As the nsp user on the auxiliary server station, enter the following:

bash$ /opt/nsp/nfmp/auxserver/nms/bin/auxnmsserver.bash auxstart ↵

The auxiliary server starts.


35 

If the system includes one or more NSP analytics servers, start each analytics server.

As the nsp user on the analytics server station, enter the following:

bash$ /opt/nsp/analytics/bin/AnalyticsAdmin.sh start ↵

The analytics server starts.


36 

If the system includes one or more NSP Flow Collector Controllers and Flow Collectors, start each NSP Flow Collector Controller.

Note: If the NSP Flow Collector Controller is collocated on a station with an NSP Flow Collector, starting the NSP Flow Collector Controller also starts the Flow Collector.

  1. Log in to the NSP Flow Collector Controller station as the nsp user.

  2. Open a console window.

  3. Enter the following:

    bash$ /opt/nsp/flow/fcc/bin/flowCollectorController.bash start ↵

    The NSP Flow Collector Controller starts.


37 

If the system includes one or more NSP Flow Collectors that are not collocated on a station with a Flow Collector Controller, start each such Flow Collector.

  1. Log in to the NSP Flow Collector station as the nsp user.

  2. Open a console window.

  3. Enter the following:

    bash$ /opt/nsp/flow/fc/bin/flowCollector.bash start ↵

    The NSP Flow Collector starts.


38 

Close the open console windows.

End of steps