Changing Encryption Provider Used by RealSecure Server Sensor or Network Sensor 7.0

Technote (FAQ)


Question

How can you change the encryption provider that your RealSecure Server Sensor or Network Sensor 7.0 is using?

Answer


To determine and adjust the cryptographic providers the sensor is using, please take the following steps:

Windows: C:\Program Files\ISS\issSensors\<sensor_name>\Keys

Linux: /opt/ISS/issSensors/<sensor_name>/Keys

To manually change encryption provider, please take the below steps:

  1. Stop the issDaemon using the services applet from the control panel in Windows, or using the realsecure script for Linux/UNIX sensors.

  2. Use a text editor to edit the crypt.policy file under C:\Program Files\ISS\issDaemon on Windows, or under /opt/ISS/issDaemon on Linux/UNIX. Below is a sample crypt.policy file. In this example, we want to remove CerticomNRA (no longer supported) and only use RSA keys, with the 1024-bit RSA key as the first/primary.
      On the line that reads authentication is a number 1. This means that authentication is enabled. If you want to temporarily disable authentication, change the 1 to a 0.

      Notice that the encryption section headers shown in brackets have numbers after the word provider, with the first provider in priority order having a 0 for CerticomNRA, the second having a 1 for RSA 1536, and the third having a 2 for RSA 1024.

      [\];
      [\encryption\];
      allowfirstconnection =L 0;
      authentication =L 1;
      [\encryption\provider0\];
      ProviderType =L 998;
      ProviderName =S ISS ECNRA Built-In Provider, Strong Encryption Version; ExchangeName =S;
      ExchangeLen =L 239;
      ExchangeID =L 44032;
      SecretName =S ;
      SecretLen =L 168;
      SecretID =L 26116;
      HashName =S ;
      HashLen =L 160;
      HashID =L 32772;
      [\encryption\provider1\];
      ProviderType =L 1; ProviderName =S Microsoft Enhanced Cryptographic Provider v1.0; ExchangeName =S;
      ExchangeLen =L 1536;
      ExchangeID =L 41984;
      SecretName =S ;
      SecretLen =L 168;
      SecretID =L 26115;
      HashName =S ;
      HashLen =L 160;
      HashID = L32772;
      [\encryption\provider2\];
      ProviderType =L 1;
      ProviderName = ISS Microsoft Enhanced Cryptographic Provider v1.0;
      ExchangeName = S;
      ExchangeLen =L 1024;
      ExchangeID =L 41984;
      SecretName = S ;
      SecretLen =L 128;
      SecretID =L 26625;
      HashName = S;
      HashLen =L 160;
      HashID =L 32772;

  3. Below is the crypt.policy after editing. Notice that the encryption section headers shown in brackets have numbers after the word provider, with the first provider in priority order having a 0 for RSA 1024, and the second having a 1 for RSA 1536. The section for CerticomNRA has been removed.
      [\];
      [\encryption\];
      allowfirstconnection =L 0;
      authentication =L 1;
      [\encryption\provider0\];
      ProviderName =S ISS RSA Built-In Provider, Strong Encryption Version (1024-bit version);
      ProviderType =L 997;
      ExchangeID =L 41984;
      ExchangeLen =L 1024;
      SecretID =L 26625;
      SecretLen =L 128;
      HashID =L 32772;
      HashLen =L 160;
      [\encryption\provider1\];
      ProviderName =S ISS RSA Built-In Provider, Strong Encryption Version (1536-bit version);
      ProviderType =L 997;
      ExchangeID =L 41984;
      ExchangeLen =L 1536;
      SecretID =L 26115;
      SecretLen =L 168;
      HashID =L 32772;
      HashLen =L 160;
    Save the edited crypt.policy and make a copy of this file to overwrite the other crypt.policy under the program directory of the sensor, usually located under
    C:\Program Files\ISS\issSensors\network_sensor_1 on Windows, or /opt/ISS/issSensors/network_sensor_1 on Linux/UNIX.

  4. Make sure the sensor has the RSA subdirectory for holding public keys. If not, create a directory called RSA, usually located under C:\Program Files\ISS\issSensors\network_sensor_1\Keys on Windows, or /opt/ISS/issSensors/network_sensor_1/Keys on Linux/UNIX.

  5. Make sure there is a copy of the console's public key and the Event Collector's public key to the RSA subdirectory. Consequently, the sensor's public key is not required because the sensor never uses its own public key, it only requires the public keys from the console and Event Collector.

  6. Because CerticomNRA is no longer supported, you may delete the CerticomNRA subdirectory, usually located under C:\Program Files\ISS\issSensors\network_sensor_1\Keys on Windows, or /opt/ISS/issSensors/network_sensor_1/Keys on Unix.

  7. Restart the issDaemon using the services applet from the control panel in Windows, or using the realsecure control script in Linux/UNIX.

  8. Try to reconnect to the sensor from the console.

      Note that the ProviderName for RSA (and other encryption algorithms) may differ between operating systems. For example, on a Linux/UNIX system, you may see:
      ISS RSA Built-In Provider, Strong Encryption Version (1024-bit version)

      For a Windows system you may see:
      Microsoft Enhanced Cryptographic Provider v1.0

      Please do not change any other within crypt.policy, as it will likely cause the encryption and authentication component to stop working. Only change the number that follows Provider.
      Example: [\encryption\provider0\]


If the above information does not resolve your issue, contact IBM Security Systems Customer Support.


Cross reference information
Segment Product Component Platform Version Edition
Security IBM RealSecure Server Sensor for AIX AIX
Security IBM RealSecure Server Sensor for HP-UX HP-UX on PA-RISC
Security IBM RealSecure Server Sensor for Solaris Solaris

Historical Number

3554

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Security Host Protection
RealSecure Server Sensor

Software version:

7.0

Operating system(s):

Windows

Reference #:

1435417

Modified date:

2012-03-19

Translate my page

Machine Translation

Content navigation