Advanced Security Settings
Configuration > Overlays & Security > Security > Advanced Security Settings
Use the Advanced Security Settings dialog box to enable various security features for your network. Proceed with caution because setting these features can adversely affect your network. By default, all settings are automatically enabled for new Orchestrator installations starting with 9.3.1. Orchestrator upgrades retain previous advanced security settings except for Perform Additional Identity Verification on Web Sockets, which is always enabled and is no longer displayed as a setting on the Advanced Security Settings dialog box.
IMPORTANT: These settings can adversely affect your network. Understand the effects of changing them and proceed with caution. HPE Aruba Networking strongly recommends that these settings be always enabled, including Secure Shell Access.
The following security settings enable appliances to verify certificates. EdgeConnect appliances are pre-loaded with the Mozilla root store, which contains the root certificates of public certificate authorities (CAs). Appliances use this root store for cryptographic verification when opening Transport Layer Security (TLS) connections to Orchestrator and the Cloud Portal.
-
Verify Orchestrator and Stats Collector Certificates
Enables appliances to verify the Orchestrator and Stats Collector certificates. Disable this setting if any of the following statements are true:
-
Orchestrator or Stats Collector uses a self-signed certificate.
-
Orchestrator or Stats Collector is behind a proxy server.
-
Any appliances in your network are not configured with the Orchestrator or Stats Collector domain name.
-
Appliances are using Orchestrator as a proxy to reach the Cloud Portal, but Orchestrator does not have a valid certificate.
-
Orchestrator does not have a certificate signed by a public certificate authority (CA) or does not have the appropriate private CA root certificate.
-
-
Verify Cloud Portal Certificate
Enables appliances to verify the Silver Peak Cloud Portal certificate. Disable this setting if any of the following statements are true:
-
Any appliance in your network is behind a proxy server.
-
Orchestrator is not configured with the Cloud Portal domain name.
-
Any appliance in your network is not configured with the Cloud Portal domain name.
-
To verify that your appliances can connect to the Cloud Portal and Orchestrator by using your current CA Certificate Trust Store, click Check Connectivity Using Current Trust Store.
NOTE: If you are not using a custom CA Certificate Trust Store, the verification process uses the default trust store. For details about custom trust stores, refer to Custom CA Certificate Trust Store.
IMPORTANT: If Common Criteria mode is enabled, this setting will be overridden and certificates will always be verified.
The Check Connectivity to Portal and Orchestrator dialog box opens.
The top portion indicates verification progress and results. The table explains any unsuccessful connections.
The Advanced Security Settings dialog box also displays the following security settings:
-
Enforce CSRF Token Check
Enables Cross-Site Request Forgery (CSRF) token checking. Use this setting while using Orchestrator REST APIs and to avoid CSRF vulnerabilities. Before you enable this setting, be sure that the X-XSRF-TOKEN header in your script is set to the orchCsrfToken value returned by Orchestrator. This ensures that requests are legitimate and do not come from unauthorized sources, which helps prevent CSRF attacks and enhances security.
NOTE: It is highly recommended that you enable this setting. Any API scripts must be verified to ensure that X-XSRF-TOKEN is set appropriately.
-
Verify System Files Integrity
Enables verification of image signatures of binaries during the bootup process for appliances that are not FIPS certified. Appliances will verify the integrity of library and executable files. FIPS-certified appliances will ignore this setting and will always verify signatures of binaries at bootup. Be aware that enabling this setting increases bootup time by five or more minutes.
-
Verify Image Signature
Enables verification of image signatures for appliance software upgrades. If the appliance is FIPS enabled, this verification will always occur. If not FIPS enabled, this setting will control whether the image is verified.
-
If enabled, appliance software checks for digital signature match. If the signature is valid, the installation or upgrade process continues.
-
If verification fails, the upgrade process fails.
-
-
Appliance Shell Access Setting
Sets the level of Linux shell access to all appliances that Orchestrator manages. Orchestrator pushes this setting to all appliances.
NOTE: When FIPS is enabled, shell access is disabled.
-
Open Shell Access – Allows users to fully use the appliance Linux shell. For new installations, this setting is no longer available.
-
Secure Shell Access – Restricts Linux shell use by requiring token access from Support. This is the default setting for new installations.
-
Disabled Shell Access – Completely locks down access to the appliance Linux shell.
IMPORTANT: Once shell access is disabled, it cannot be reverted to secure shell access. You must redeploy to a new or remanufactured appliance.
-