Solved: Can Smart Connector 8.1 be used with ESM 6.11? - Micro Focus Community

brettpladna81 · ‎2020-12-08

The support matrix is very unclear about what products can be used with various versions of ESM. Does anyone know if Connector 8.1 can be used with ESM 6.11? We do not have a 6.11 ESM on our site but some of our customers do and we can't just install on their site to test.

vitz1 · ‎2020-12-17

Can be used? Yes
Will it work? Yes, if you change the chipher settings.
Supported? Unclear. As default settings prevent connection from FW >=8 to connect to at least 6.9.1 and probably 6.11.
Will it work? Yes, if you change the chipher settings.

View solution in original post

vitz1 · ‎2020-12-10

I can just answer this question for

Connector FW version 8.0 and ESM 6.9.1

To make it work with ESM 6.9.1 i had to add to agent.properties this line

ssl.cipher.suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA

I took my infos from " 6.9.1c GA admin guide" there was a section

    Cipher suite
A set of authentication, encryption, and data integrity algorithms used for securely exchanging data
between an SSL server and a client.
Depending on FIPS mode settings, some of the following cipher suites are automatically enabled
for ESM and its clients:
n TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
n TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
n TLS_RSA_WITH_3DES_EDE_CBC_SHA
n TLS_RSA_WITH_AES_128_CBC_SHA
The cipher suites that are enabled are configured by ArcSight Wizards in property files. Although in
most cases you do not need to change the cipher suites, you can configure them in the
corresponding properties file for an ArcSight component:
Component Property File Property
Manager config/server.properties servletcontainer.jetty311.socket.
https.ciphersuites

vitz1 · ‎2020-12-10

ESM 6.11 Admin guide explains

FIPS 140-2
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
Note: These are the same ciphersuites as are used for non-FIPS mode.

FIPS Suite B
In 192 bit mode, the following 192-bit ciphersuites are supported.
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

In 128 bit mode,the following 128-bit ciphersuites are supported.
HPE ESM 6.11.0 Page 158 of 164
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

vitz1 · ‎2020-12-10

and this is from 8.1 agent.defaults.properties.... i think you will be able to manage the right combinations from here.

# Cipher suites allowed for outgoing SSL connections.
#
# The following cipher suites are supported:
#
#   SSL_RSA_WITH_RC4_128_MD5
#   SSL_RSA_WITH_RC4_128_SHA
#   TLS_RSA_WITH_AES_128_CBC_SHA
#   TLS_DHE_RSA_WITH_AES_128_CBC_SHA
#   TLS_DHE_DSS_WITH_AES_128_CBC_SHA
#   SSL_RSA_WITH_DES_CBC_SHA
#   SSL_DHE_RSA_WITH_DES_CBC_SHA
#   SSL_DHE_DSS_WITH_DES_CBC_SHA
#   SSL_RSA_EXPORT_WITH_RC4_40_MD5
#   SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
#   SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
#   SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
#   SSL_RSA_WITH_NULL_MD5
#   SSL_RSA_WITH_NULL_SHA
#   SSL_DH_anon_WITH_RC4_128_MD5
#   TLS_DH_anon_WITH_AES_128_CBC_SHA
#   SSL_DH_anon_WITH_DES_CBC_SHA
#   SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
#   SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
#
ssl.cipher.suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256
# In FIPS mode
ssl.fips.cipher.suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ssl.fips.suiteb.128.cipher.suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ssl.fips.suiteb.192.cipher.suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

I asume your question is not answered in the direction you wanted it to be answered , aka can the Framework still feed events to an old ESM?

8.0 could feed 6.9.1 with those adjustments.

KR

A

vitz1 · ‎2020-12-15

Error [com.arcsight.common.b.m: Couldn’t connect to ArcSight Manager: <manager_name> (proxy: [none]) Received fatal alert: handshake_failure]

is the error you would see in the logs.

toor · ‎2020-12-15

Hey brettpladna,

please check release notes. They state exactly what vitz1 already explained in great detail.

In connector release 8 and forward, the support for some of the crypto material has been changed.

So ESM and the connectors work with each other, but you need to make sure (by configuration settings vitz1 has highlighted), that they both use the same crypto-standards.

HTH,

t00r

P.S.: please make sure to mark the appropriate post as solution and/or like it, so others in the community can more easily find solutions to similar problems.

thanks all and stay safe

SIEM-TECH · ‎2020-12-17

Customer: ESM v6.11p4 ; SC v7.14

The question was is SC v8.1 compatible and or supported with use in conjunction with ESM v6.11p4 (non FIPS)?

The latest matrix has everything blanked out beyond ESM v7.2p1

And the release notes do not address the question.

If there is documentation that exists on this site stating so or otherwise that's what the goal is. "Does MF support the use of SC 8.1 > ESM 6.11p4"? Yes/No

Thank you

vitz1 · ‎2020-12-17

Can be used? Yes
Will it work? Yes, if you change the chipher settings.
Supported? Unclear. As default settings prevent connection from FW >=8 to connect to at least 6.9.1 and probably 6.11.
Will it work? Yes, if you change the chipher settings.

View solution in original post

brettpladna81 · ‎2020-12-17

That's fine. If you're going to have a support matrix to help with what to install and not to install, then be clear in it. That's all I am saying. I shouldn't have to go through 3 or more documents to get an answer every time there is an update to a product.