NSP system security
TLS
An NSP system is secured using Transport Layer Security (TLS). TLS ensures secure external communication between NSP UI and other clients and the NSP cluster, and secure internal communication among NSP components. CA-signed and self-signed certificates are supported.
Note: The NSP supports only TLS v1.2; however, you can enable older TLS versions for compatibility with OSS or external systems that do not support TLS v1.2.
The NSP provides an internal Public Key Infrastructure (PKI) service to automate the generation and distribution of TLS artifacts within an NSP deployment. The PKI service can generate, sign, and distribute self-signed TLS certificates, or use certificates that you provide.
The NSP TLS artifacts are stored in secret files on each NSP cluster. An NSP tool facilitates secret management. You can use the tool to create or update the required secrets using internally generated or imported certificates, and to back up and restore the secrets.
Other external security mechanisms
In addition, session credentials and messaging can be protected using mechanisms and protocols such as the following:
You can also enable HTTP Strict-Transport-Security, or HSTS, during system deployment, which enforces the use of HTTPS by any browser that connects to the NSP. See the NSP Installation and Upgrade Guide for information about enabling HSTS.
SELinux
The deployment of SELinux in permissive or enforcing mode to log user operations is supported on the RHEL OS of all NSP system elements, with the exception of an NSP auxiliary database, which supports SELinux only in permissive mode.
The NSP supports the upgrade of SELinux-enabled components; however, SELinux must be in permissive mode during an upgrade. Switching to enforcing mode is done only after a deployment operation.
Note: SELinux is enabled in permissive mode on an NSP RHEL OS disk image, but must be manually enabled after a manual RHEL OS installation.
“What is SELinux?” in the NSP System Administrator Guide describes deploying and managing SELinux for the NSP.