MD <--> TWC Cybersecurity

Discussions about Java virtual machine, installation, and running

Moderator: Moderators

MD <--> TWC Cybersecurity

Postby richard.weedon.ctr@navy.mil » Thu May 06, 2021 3:13 pm

We are looking into hosting TWC. To this point, the US DoD (DISA PPSM) finds the comms between MD clients and TWC not using secure encryption. I assume on the TCP data link. This was previously referred to as FIPS compliance but now is whittled down only SHA265 or higher TLS 1.2 ciphers. Enterprise network cybersecurity does not like TCP/binary (non-http) as it is. Has 2021x resolved this? Has anyone confirmed what highest encryption is possible on 19SP4 comms? Since Java 8, TLS 1.2 ability is built-in. Even if omitting SHA1 ciphers is not.

For brevity, lets omit flexnet/license comms. Just the HTTP and TCP comms used by MD clients talking to TWC Server hosted across a WAN/internet.
richard.weedon.ctr@navy.mil
Forum Newbie
Forum Newbie
 
Posts: 5
Posts Rating:0
Joined: Thu May 06, 2021 1:01 pm

Re: MD <--> TWC Cybersecurity

Postby lukasjeffery2022@gmail.com » Wed May 12, 2021 1:37 am

I have exactly the same problem. Anyone got a suggestion?




myaarpmedicare.com
lukasjeffery2022@gmail.com
Forum Newbie
Forum Newbie
 
Posts: 1
Posts Rating:0
Joined: Wed May 12, 2021 1:32 am

Re: MD <--> TWC Cybersecurity

Postby richard.weedon.ctr@navy.mil » Wed May 12, 2021 11:48 am

[quote="lukasjeffery2022@gmail.com"]I have exactly the same problem. Anyone got a suggestion?

What encryption have you seen getting used? Or is it just TCP connection IA/cyber does not like?

I do not get why the encryption level is an issue. It is built-in since Java 7 and is default in Java 8. This might be fixed by launching MD client TWC module with an added switch.

https://www.baeldung.com/java-7-tls-v12
richard.weedon.ctr@navy.mil
Forum Newbie
Forum Newbie
 
Posts: 5
Posts Rating:0
Joined: Thu May 06, 2021 1:01 pm

Re: MD <--> TWC Cybersecurity

Postby r.eastman@f5.com » Thu May 20, 2021 5:02 pm

I configured TeamWork Cloud 19 SP3 using a BIG-IP as a reverse proxy and SAML IdP for DoD certificate auth. I configured all services to be proxied and use a TLS client/server profile. All services except the TCP license server now use the following ciphers between the TWC Admin page, TWC Auth, TWC rest, License Server admin page and the Cameo System Modeler app TLS. The CSM license .jar will not respond to a TLS profile so that runs over port TCP/443 unencrypted, but still reverse proxied using address/port translation to the TWC license server.
These are the only ciphers allowed:
ID SUITE BITS PROT CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 ECDHE_RSA
1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 AES SHA384 ECDHE_RSA
2: 157 AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 RSA
3: 61 AES256-SHA256 256 TLS1.2 AES SHA256 RSA
4: 49196 ECDHE-ECDSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 ECDHE_ECDSA
5: 49188 ECDHE-ECDSA-AES256-SHA384 256 TLS1.2 AES SHA384 ECDHE_ECDSA
6: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 EDH/RSA
7: 107 DHE-RSA-AES256-SHA256 256 TLS1.2 AES SHA256 EDH/RSA
r.eastman@f5.com
Forum Newbie
Forum Newbie
 
Posts: 1
Posts Rating:0
Joined: Mon May 17, 2021 5:01 pm


Return to Installing and running

Who is online

Users browsing this forum: No registered users and 1 guest