Configuring Traffic Security
This topic describes how to encrypt data in transit.
As a built-in security mechanism, the ITM On-Prem (ObserveIT) Agents and Application Server use a token exchange mechanism to prevent session hijacking and replay, and to encrypt the data communication. The security mechanisms for this communication include encryption (Rijndael), digital signing, and token exchange.
When installing a new Application Server, by default, ObserveIT's server installation offers to create an additional website in IIS that will be configured to listen to TCP port 4884 (although it is also possible to use the regular HTTP protocol specifications and use TCP port 80 or any other TCP port).
Encryption can be enabled to further secure the communications:
-
Between the Agents and the Application Server (HTTPS)
-
Between the Application Server and the Database Server (HTTPS)
-
Between the Application Server and the file share holding the graphic images (IPsec)
HTTPS can be used on the ITM On-Prem (ObserveIT) website (either optional or mandatory) to protect the data transferred by the Agents to the ITM On-Prem (ObserveIT) Application Server.
If you are deploying more than one Application Server, you must use a network load balancing product. This can be a software-based load balancing solution such as Microsoft Network Load Balancing (NLB), or hardware-based solutions such as F5, Citrix NetScaler, or others. In that case, the digital certificate used for this traffic must be identical for all Application Servers, which can be achieved by creating it on the first Application Server, exporting it (including the private key), and importing it to the other Application Servers.
Windows and Unix/Linux Agents comply with the FIPS security standard and can be deployed on any supported FIPS-enabled machine. For details, see FIPS Compliant Agents.
On Windows systems, when key logging is enabled, data that is captured by the Agent and sent to the Application Server is encrypted (using SHA256 with the asymmetric "salt" hashing algorithm) and stored in the Database Server. However, in order to protect the keylogger data and further secure the communication, it is advised that you enable HTTPS (SSL or TLS) on the traffic between the Agent and the Application Server. Also, on Unix/Linux systems, in order to protect captured output data transmitted by the Agent to the Application Server and further secure the communication, it is advised that you enable HTTPS (SSL or TLS) on the traffic between the Agent and the Application Server. For details on how to enable HTTPS, see Enabling SSL on the ITM On-Prem (ObserveIT) Application Server/Web Console Server.
The following topics describe how to secure traffic between the ITM On-Prem (ObserveIT) Agent and the Application Server, and between the Application Server and the Database Server:
-
Enabling SSL on the ITM On-Prem (ObserveIT) Application Server/Web Console Server
-
Configuring ITM On-Prem (ObserveIT) to Use TLS for Securing Traffic
-
Configuring an ITM On-Prem Windows Agent (ObserveIT Windows Agent) to Use SSL/TLS
- Configuring a Mac Agent to use SSL
-
Configuring the ITM On-Prem (ObserveIT) Database Server to Use SSL/TLS
Requirements
HTTPS can be used on the ITM On-Prem (ObserveIT) website (either optional or mandatory) to protect the data transferred by the Agents to the ITM On-Prem (ObserveIT) Application Server.
If you plan to deploy more than one Application Server, you must use a network load balancing product. This can be a software-based load balancing solution such as Microsoft Network Load Balancing (NLB), or hardware-based solutions such as F5, Citrix NetScaler, or others. In that case, the digital certificate used for this traffic must be identical for all Application Servers, which can be achieved by creating it on the first Application Server, exporting it (including the private key), and importing it to the other Application Servers.
Required steps to enable traffic encryption between the ITM On-Prem (ObserveIT) Agents and the Application Server:
- Obtain a digital certificate.
- Encrypt the traffic from ITM On-Prem (ObserveIT) Agents to ITM On-Prem (ObserveIT) Application Server.
- Configure ITM On-Prem (ObserveIT) Agent for Windows to use SSL.
- Configure the ITM On-Prem (ObserveIT) Agent for Mac to use SSL.
- Configure the ITM On-Prem (ObserveIT) Agent or Unix/Linux to use SSL.
** Go to Custom Installation Steps.