NSP system security

TLS

The NSP supports the use of Transport Layer Security (TLS) throughout the NSP system. The NSP installation software includes a utility called a Public Key Infrastructure (PKI) server that you can use to automate the distribution of TLS artifacts for NSP components. A PKI server can generate, sign, and distribute a self-signed TLS certificate, or use a certificate from another source.

Note: The NSP supports only TLS v1.2; however, you can enable older TLS versions for compatibility with OSS or external systems that do not support TLS v1.2.

TLS ensures secure external communication between NSP clients and the NSP cluster, and among NSP components. The NSP supports the use of external TLS certificates signed by a trusted public Certificate Authority (CA), and self-signed certificates.

You determine the source and signing authority of the external TLS certificate in an NSP system. The internal certificate, however, is automatically created and signed by an internally generated private CA on the PKI server, so no certificate from any external CA is trusted for internal system access.

Each NSP cluster serves as the central store of the following certificates for the other NSP components in the local datacenter:

• external, customer-provided or generated by PKI server

• internal, generated by PKI server

Other external security mechanisms

In addition, session credentials and messaging can be protected using mechanisms and protocols such as the following:

• NAT between system components

• HTTPS at the application layer for API clients

• SNMPv3 for communication with network devices

• SMTPS or STARTTLS for secure e-mail notifications

You can also enable HTTP Strict-Transport-Security, or HSTS, during system deployment, which enforces the use of HTTPS by any browser that connects to the NSP. See the NSP Installation and Upgrade Guide for information about enabling HSTS.

SELinux

The deployment of SELinux in permissive or enforcing mode to log user operations is supported on the RHEL OS of all NSP system elements, with the exception of an NSP auxiliary database, which supports SELinux only in permissive mode.

The NSP supports the upgrade of SELinux-enabled components; however, SELinux must be in permissive mode during an upgrade. Switching to enforcing mode is done only after a deployment operation.

Note: SELinux is enabled in permissive mode on an NSP RHEL OS disk image, but must be manually enabled after a manual RHEL OS installation.

“What is SELinux?” in the NSP System Administrator Guide describes deploying and managing SELinux for the NSP.