We are looking into hosting TWC. To this point, the US DoD (DISA PPSM) finds the comms between MD clients and TWC not using secure encryption. I assume on the TCP data link. This was previously referred to as FIPS compliance but now is whittled down only SHA265 or higher TLS 1.2 ciphers. Enterprise network cybersecurity does not like TCP/binary (non-http) as it is. Has 2021x resolved this? Has anyone confirmed what highest encryption is possible on 19SP4 comms? Since Java 8, TLS 1.2 ability is built-in. Even if omitting SHA1 ciphers is not.
For brevity, lets omit flexnet/license comms. Just the HTTP and TCP comms used by MD clients talking to TWC Server hosted across a WAN/internet.
MD <--> TWC Cybersecurity
Moderator: Moderators
3 posts
• Page 1 of 1
MD <--> TWC Cybersecurity
by richard.weedon.ctr@navy.mil » Thu May 06, 2021 3:13 pm
- richard.weedon.ctr@navy.mil
- Forum Newbie
- Posts: 5
- Posts Rating:0
- Joined: Thu May 06, 2021 1:01 pm
- View
- 0
Re: MD <--> TWC Cybersecurity
by richard.weedon.ctr@navy.mil » Wed May 12, 2021 11:48 am
[quote="lukasjeffery2022@gmail.com"]I have exactly the same problem. Anyone got a suggestion?
What encryption have you seen getting used? Or is it just TCP connection IA/cyber does not like?
I do not get why the encryption level is an issue. It is built-in since Java 7 and is default in Java 8. This might be fixed by launching MD client TWC module with an added switch.
https://www.baeldung.com/java-7-tls-v12
What encryption have you seen getting used? Or is it just TCP connection IA/cyber does not like?
I do not get why the encryption level is an issue. It is built-in since Java 7 and is default in Java 8. This might be fixed by launching MD client TWC module with an added switch.
https://www.baeldung.com/java-7-tls-v12
- richard.weedon.ctr@navy.mil
- Forum Newbie
- Posts: 5
- Posts Rating:0
- Joined: Thu May 06, 2021 1:01 pm
- View
- 0
Re: MD <--> TWC Cybersecurity
by r.eastman@f5.com » Thu May 20, 2021 5:02 pm
I configured TeamWork Cloud 19 SP3 using a BIG-IP as a reverse proxy and SAML IdP for DoD certificate auth. I configured all services to be proxied and use a TLS client/server profile. All services except the TCP license server now use the following ciphers between the TWC Admin page, TWC Auth, TWC rest, License Server admin page and the Cameo System Modeler app TLS. The CSM license .jar will not respond to a TLS profile so that runs over port TCP/443 unencrypted, but still reverse proxied using address/port translation to the TWC license server.
These are the only ciphers allowed:
ID SUITE BITS PROT CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 ECDHE_RSA
1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 AES SHA384 ECDHE_RSA
2: 157 AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 RSA
3: 61 AES256-SHA256 256 TLS1.2 AES SHA256 RSA
4: 49196 ECDHE-ECDSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 ECDHE_ECDSA
5: 49188 ECDHE-ECDSA-AES256-SHA384 256 TLS1.2 AES SHA384 ECDHE_ECDSA
6: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 EDH/RSA
7: 107 DHE-RSA-AES256-SHA256 256 TLS1.2 AES SHA256 EDH/RSA
These are the only ciphers allowed:
ID SUITE BITS PROT CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 ECDHE_RSA
1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 AES SHA384 ECDHE_RSA
2: 157 AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 RSA
3: 61 AES256-SHA256 256 TLS1.2 AES SHA256 RSA
4: 49196 ECDHE-ECDSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 ECDHE_ECDSA
5: 49188 ECDHE-ECDSA-AES256-SHA384 256 TLS1.2 AES SHA384 ECDHE_ECDSA
6: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 EDH/RSA
7: 107 DHE-RSA-AES256-SHA256 256 TLS1.2 AES SHA256 EDH/RSA
- r.eastman@f5.com
- Forum Newbie
- Posts: 1
- Posts Rating:0
- Joined: Mon May 17, 2021 5:01 pm
- View
- 0
3 posts
• Page 1 of 1
Return to Installing and running
Who is online
Users browsing this forum: No registered users and 1 guest
