NSP system security

TLS

An NSP system is secured using Transport Layer Security (TLS). TLS ensures secure external communication between NSP UI and other clients and the NSP cluster, and secure internal communication among NSP components. CA-signed and self-signed certificates are supported.

Note: The NSP supports only TLS v1.2; however, you can enable older TLS versions for compatibility with OSS or external systems that do not support TLS v1.2.

The NSP provides an internal Public Key Infrastructure (PKI) service to automate the generation and distribution of TLS artifacts within an NSP deployment. The PKI service can generate, sign, and distribute self-signed TLS certificates, or use certificates that you provide.

The NSP TLS artifacts are stored in secret files on each NSP cluster. An NSP tool facilitates secret management. You can use the tool to create or update the required secrets using internally generated or imported certificates, and to back up and restore the secrets.

Other external security mechanisms

In addition, session credentials and messaging can be protected using mechanisms and protocols such as the following:

• NAT between system components

• HTTPS at the application layer for API clients

• SNMPv3 for communication with classically managed network devices

• SMTPS or STARTTLS for secure e-mail notifications

You can also enable HTTP Strict-Transport-Security, or HSTS, during system deployment, which enforces the use of HTTPS by any browser that connects to the NSP. See the NSP Installation and Upgrade Guide for information about enabling HSTS.

SELinux

The deployment of SELinux in permissive or enforcing mode to log user operations is supported on the RHEL OS of all NSP system elements, with the exception of an NSP auxiliary database, which supports SELinux only in permissive mode.

The NSP supports the upgrade of SELinux-enabled components; however, SELinux must be in permissive mode during an upgrade. Switching to enforcing mode is done only after a deployment operation.

Note: SELinux is enabled in permissive mode on an NSP RHEL OS disk image, but must be manually enabled after a manual RHEL OS installation.

“What is SELinux?” in the NSP System Administrator Guide describes deploying and managing SELinux for the NSP.