Security of credential caching
When using persistent caching, the mangement console encrypts host credentials, as follows:
- It generates a salt or retrieves it from the Java KeyStore, a storage facility for cryptographic keys and certificates, if it has previously been stored in the keystore.
- It uses the salt to generate a unique 128-bit encryption key for the authenticated user. The key generation algorithm is the PBKDF2 algorithm using HMAC with SHA1. This algorithm is designed to prevent brute force attacks on the password by ensuring that the same passwords will result in different keys and by increasing the work factor by iterating many times over the key generation function.
- It uses the generated key to encrypt the credentials (including user name, password, and any elevation credentials) using the AES algorithm in CBC mode. It then uses Message Authentication Code (MAC) using the HMAC with SHA-256 algorithm to verify the integrity of the saved data.
The Management Console for Unix server communicates with a database on port 9001 over the loopback interface. The password used is randomly generated at install time. One Identity recommends that you configure a local firewall to exclude remote access to this port. For information on how to change the default port on which the database runs, see Database port number is already in use.
Summary of Security Recommendations
One Identity recommends that you implement the following to secure the data used by Management Console for Unix:
- When authenticating Active Directory users for access to Management Console for Unix make sure that the server is installed on a machine that is joined to the Active Directory forest you wish to manage.
- Install an SSL/TLS key pair and certificate that is signed by a Certification Authority that will be trusted by all users' browsers.
- Directly import SSH host keys using a known_hosts file, or the Import SSH Host Key toolbar command; or manually verify the fingerprints by disabling the Automatically accept SSH keys option when profiling.
- Configure a local firewall to restrict remote access to the database port (Default port is 9001).
To help you troubleshoot, One Identity recommends the following resolutions to some of the common problems you might encounter as you deploy and use Management Console for Unix.
Note: Simply re-profiling a host can resolve issues caused when the host is out of sync with the server.