In this section you find the details of the security concept for the Automation EngineCe composant commande un système Automation Engine. Il se compose de plusieurs processus serveur..
The goal of encryption is to ensure that only authorized users can view, use or contribute to a data set. These security controls add another layer of protection against potential threats by end-users, administrators and other malicious actors on the network. No external encryption solutions are required within an Automic environment.
AES Key Size
All necessary encryption is done natively via an AES key size of your choice (128, 192 or 256 bits).
This encryption is used for the following components:
Default Installation Settings
The default installation uses an encrypted connection using a 256 bit key without authentication between the two connection partners.
The default configurationUn ensemble de composants qui constituent un système. Ceci comprend des informations relatives à la manière dont les composants sont connectés, ainsi que les paramètres appliqués. is using the AES with the highest supported key size of 256 bits.
Basic System Variable Settings:
The system variable UC_AS_SETTINGS can be found in the system client 0000.
These are the recommended settings:
|
UC_AS_SETTINGS |
||||
|---|---|---|---|---|
|
Key |
Purpose |
Default value |
Recommended value |
Restart required |
|
AUTHENTICATION |
Authentication method |
NO (none) |
Server |
|
|
ENCRYPTION |
Encryption mode |
AES-256 |
AES-256 |
Server |
The shared key is exchanged during the first connection of the agent.
To improve the security of the connected components it is recommended to change the authentication mode to "Server and agent".
In that case the key exchange of the authentication packageUn package est une instance (version, révision, balise, …) de votre application définissant le contenu à déployer. Il vous permet de décider si vous souhaitez déployer toute l'application ou uniquement certains composants spécifiés.
has to be done manually, by using a second (secured) channel, for example.
Automation Engine Authentication Methods
The Automation Engine supports different authentication methods in order to verify the identity of the components.
You can specify the authentication method while installing the AE system. Subsequent modification is also possible:
Overview
|
Authentication method |
Description |
|---|---|
|
None |
An agent starting for the first time can immediately log on to the AE system. |
|
Server |
The agents can log on to the AE system when they start for the first time, but they cannot automatically be used. Follow these steps:
By executing these steps, the Automation Engine automatically transfers the authentication package via the line to the relevant agent. Only then is the agent authenticated and ready to use. |
|
Server and agent |
Some preparatory work is required to make sure that the agents can log on to the AE system.
Now the agent is ready to use. |
In order to guarantee a secure communication, Automic recommends transferring the authentication package to the agent either manually or via a separate secure line. Doing so disables access to the authentication package via the network, e.g. by listening in on the network communication.
Set-up Firewall and Port Configuration
AWA requires you to have a small set of inbound and outbound TCP ports open.
All ports assignments are configurable and can be changed in the configuration file of the components.
The following diagram shows an overview of all required communications and its default port numbers.
In some cases the components are distributed in different network areas, thus the following list of ports can help you with the firewall configuration.
Inbound ports:
As default you need the following inbound TCP ports, nevertheless all ports are configurable:
Outbound ports:
As default you need the following outbound TCP ports, nevertheless all ports are configurable:
File Transfers
The sending agent tries to establish a connection to the receiving agent. If this attempt fails (for example, because of Firewall settings), it notifies the Automation Engine. The file transfer request is then sent to the receiver which now tries to establish a connection to the sender. After the connection has been established, the receiving agent transfers the FT request to the sender. Thus the direction of the connection for file transfers purposes are negotiated between two agents depending on the firewall configuration.
For details on file transfers refer to the INI configuration page of the Windows Agent.
Deactivate Compatibility Mode
Due to support of former agents (prior to version 9.0) the Automation Engine supports unencrypted communication between components.
If you are not using those older agents it is highly recommended to deactivate the compatibility mode in order to force encrypted connections.
You have to configure the compatibility mode in the UC_AS_SETTINGS variable.
By default the compatibility mode is enabled.
|
UC_AS_SETTINGS |
||||
|---|---|---|---|---|
|
Key |
Purpose |
Default value |
Recommended value |
Restart required |
|
COMPATIBILITY |
compatibility mode |
YES (active) |
NO (deactivate) |
Server |
Change Default Passwords
After installation the Automation Engine a default administrative user account exists for client 0000, called UC.
For security reasons it is highly recommended to change the default password and user name of this highly privileged user.
You can change the password of a user following these steps:
