Security Refresh (OpenSSL 1.02f)

Universal Agent 6.3.0.1 implements the latest OpenSSL toolkit for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. This ensures that the Universal Agent and it's components have the latest security fixes available. This implementation introduces several new and stronger cipher suites for encrypting control and data sessions. Cipher suite defaults for new installs have also been updated to reflect changes in security encryption standards. Existing users who are upgrading from older Universal Agent versions will not have their defaults automatically updated and should consider reviewing these to ensure that any corporate security standards are complied with.

New Cipher Suites

The following new SSL Cipher Suites have been made available:

AES128-GCM-SHA256 - 128-bit AES encryption in Galois Counter Mode, SHA-2 256-bit message digest.
AES256-GCM-SHA384 - 256-bit AES encryption in Galois Counter Mode, SHA-2 384-bit message digest.

Note

RC4_* and DES_* SSL cipher suites will be deprecated in a future release of Universal Agent.

Configuration File Security Changes

Universal Agent configuration files default access rights have been changed to owner and group read only.

Universal Encrypt Enhancements

The –aes option for uencrypt now defaults to yes, meaning that encrypted files will be by default use AES 256 bit encryption, previously the default was no which used DES 56 bit encryption. If customers do not supply their own key (-k option) an internal key is used for the encryption, this has been expanded to a 32 bit key. This means that Agent versions prior to 6.3.0.1 will not be able to use uencrypted files generated with the new defaults, this affects managers (ucmd, udm, etc) and the Universal Controller CLI. A new legacy option for the –aes option will force the new version to use the old internal key to maintain backward compatibility.

Universal Data Mover Peer Authentication

UDM now supports peer authentication. This allows a UDM manager to validate the identity via host-name and/or serial number of a remote Universal Broker certificate. Support has been added for both 2 party and 3rd party transfers.

SAP Process Chain Restart Enhancements

A USAP command ID can now be associated with an SAP process chain instance to facilitate a simplified restart process for failed SAP Process Chains.

Browser not supported