Technote (FAQ)
Question
How can you change the encryption provider that your RealSecure Server Sensor or Network Sensor 7.0 is using?
Answer
To determine and adjust the cryptographic providers the sensor is using, please take the following steps:
Windows:
c:\Program Files\ISS\issSensors\<sensor_name>\Keys
Linux:
/opt/ISS/issSensors/<sensor_name>/Keys
To manually change encryption provider, please take the below steps:
1. Stop the issDaemon using the services applet from the control panel in Windows, or using the realsecure script for Linux/UNIX sensors.
2. Use a text editor to edit the crypt.policy file under C:\Program Files\ISS\issDaemon on Windows, or under /opt/ISS/issDaemon on Linux/UNIX. Below is a sample crypt.policy file. In this example, we want to remove CerticomNRA (no longer supported) and only use RSA keys, with the 1024-bit RSA key as the first/primary.
-
On the line that reads
authentication is a number
1. This means that authentication is enabled. If you want to temporarily disable authentication, change the
1 to a
0.
Notice that the encryption section headers shown in brackets have numbers after the word provider, with the first provider in priority order having a 0 for CerticomNRA, the second having a 1 for RSA 1536, and the third having a 2 for RSA 1024.
[\];
[\encryption\];
allowfirstconnection =L 0;
authentication =L 1;
[\encryption\provider0\];
ProviderType =L 998;
ProviderName =S ISS ECNRA Built-In Provider, Strong Encryption Version; ExchangeName =S;
ExchangeLen =L 239;
ExchangeID =L 44032;
SecretName =S ;
SecretLen =L 168;
SecretID =L 26116;
HashName =S ;
HashLen =L 160;
HashID =L 32772;
[\encryption\provider1\];
ProviderType =L 1; ProviderName =S Microsoft Enhanced Cryptographic Provider v1.0; ExchangeName =S;
ExchangeLen =L 1536;
ExchangeID =L 41984;
SecretName =S ;
SecretLen =L 168;
SecretID =L 26115;
HashName =S ;
HashLen =L 160;
HashID = L32772;
[\encryption\provider2\];
ProviderType =L 1;
ProviderName = ISS Microsoft Enhanced Cryptographic Provider v1.0;
ExchangeName = S;
ExchangeLen =L 1024;
ExchangeID =L 41984;
SecretName = S ;
SecretLen =L 128;
SecretID =L 26625;
HashName = S;
HashLen =L 160;
HashID =L 32772;
-
[\];
[\encryption\];
allowfirstconnection =L 0;
authentication =L 1;
[\encryption\provider0\];
ProviderName =S ISS RSA Built-In Provider, Strong Encryption Version (1024-bit version);
ProviderType =L 997;
ExchangeID =L 41984;
ExchangeLen =L 1024;
SecretID =L 26625;
SecretLen =L 128;
HashID =L 32772;
HashLen =L 160;
[\encryption\provider1\];
ProviderName =S ISS RSA Built-In Provider, Strong Encryption Version (1536-bit version);
ProviderType =L 997;
ExchangeID =L 41984;
ExchangeLen =L 1536;
SecretID =L 26115;
SecretLen =L 168;
HashID =L 32772;
HashLen =L 160;
C:\Program Files\ISS\issSensors\network_sensor_1 on Windows, or /opt/ISS/issSensors/network_sensor_1 on Linux/UNIX.
4. Make sure the sensor has the RSA subdirectory for holding public keys. If not, create a directory called RSA, usually located under C:\Program Files\ISS\issSensors\network_sensor_1\Keys on Windows, or /opt/ISS/issSensors/network_sensor_1/Keys on Linux/UNIX.
5. Make sure there is a copy of the console's public key and the Event Collector's public key to the RSA subdirectory. Consequently, the sensor's public key is not required because the sensor never uses its own public key, it only requires the public keys from the console and Event Collector.
6. Because CerticomNRA is no longer supported, you may delete the CerticomNRA subdirectory, usually located under C:\Program Files\ISS\issSensors\network_sensor_1\Keys on Windows, or /opt/ISS/issSensors/network_sensor_1/Keys on Unix.
7. Restart the issDaemon using the services applet from the control panel in Windows, or using the realsecure control script in Linux/UNIX.
8. Try to reconnect to the sensor from the console.
Note that the ProviderName for RSA (and other encryption algorithms) may differ between operating systems. For example, on a Linux/UNIX system, you may see:
ISS RSA Built-In Provider, Strong Encryption Version (1024-bit version)
For a Windows system you may see:
Microsoft Enhanced Cryptographic Provider v1.0
Please do not change any other within crypt.policy, as it will likely cause the encryption and authentication component to stop working. Only change the number that follows "Provider".
Example: [\encryption\provider0\]
If the above information does not resolve your issue, please contact IBM Security Systems Technical Support.
| Segment | Product | Component | Platform | Version | Edition |
|---|---|---|---|---|---|
| Security | IBM RealSecure Server Sensor for AIX | AIX | |||
| Security | IBM RealSecure Server Sensor for HP-UX | HP-UX on PA-RISC | |||
| Security | IBM RealSecure Server Sensor for Solaris | Solaris | |||
| Security | RealSecure Network Sensor | Linux, Windows | 7.0 |
Historical Number
3554
Product Alias/Synonym
RealSecure Network Sensor
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.