Administration Guide > Encryption > Advanced Security

Advanced Security

The Automation EngineThis component drives an Automation Engine system and consists of different types of server processes. provides several mechanisms that can be used to protect your AE system from unauthorized usage.

Two categories of mechanisms can be distinguished:

  1. Authorization system
  2. Data encryption

A detailed description of the first one is available in the Administration Guide. This document contains detailed information about encryption.

General Information

An AE system consists of various components that are distributed among several computers and communicate with each other. For example, the Automation Engine sends the JCL to an agentA program that enables the de-centralized execution of processes (such as deployments) on target systems (computers or business solutions) or a service that provides connectivity to a target system (such as for databases or middleware). An agent is also an object type in the Automation Engine. [Formerly called "Executor."] See also: host which processes it on the computer and reports the result back. Encryption is possible for the communication between the individual components. This prevents potential hackers from reading or modifying transferred data. In addition, you can use an authentication method in order to avoid a hacker pretending to be a componentA component is a single deployable application artifact. As an example, this can be yourfile.war to be deployed into a Tomcat container. Each component has different properties which determine where to get it from, how to configure it, etc. You will need one component per application artifact: e.g., one for the application tier and one for the database backend..

Data encryption provides security but additional protective mechanisms such as access rights to sensitive data and physical access protection for the Servers is required in order to ensure the greatest possible security level. 

The connection to the AE databaseA database is an organized collection of data including relevant data structures. is protected by the database vendor's database clientA closed environment within an Automation Engine system where you can create and run objects. A client name consists of a 4-digit number that must be indicated when a user logs on to the Automation Engine system. Users and their rights are also defined in clients. A particular Automation Engine object type..

Passwords are stored in the database in encrypted form.

Encryption Types

You can define whether communication between the components should be dealt with in encrypted form. If you opt for encryption, you can determine the encryption strength (AES-128, AES-192 and AES-256 are available).

Even the greatest possible encryption strength has no negative affects on the AE system's performance.

Encryption goes hand in hand with authentication. In userIn the Automation Engine, a user is an instance of a User object, and generally the user is a specific person who works with Automic products. The User object is assigned a user ID and then a set of access rights to various parts of the Automation Engine system and product suite. These access rights come in the form of Automation Engine authorizations and privileges, Decision user roles and EventBase rights and ARA web application object rights. You can manage all these centrally in the ECC user management functions. See also, Unified user management. sessions, the loginAn Automation Engine object type that stores account credentials used by agents on target systems. data is used for authentication. The agents confirm their identity differently.

Authentication Methods 

The Company Key is very important for the authentication process. Depending on the authentication method, it is composed of your AE system nameName of the Automation Engine instance to which a user is connected. or a string you define.

The following three authentication methods are available:

Authentication method

Description

None An agent that starts for the first time can immediately log on to the AE system. The Company Key (a term used in each AE system) is automatically derived from the AE system's name. It prevents an agent from logging on to an AE system with a different Company Key afterwards.
Server The Company Key must be determined during the Automation Engine installation. Subsequently, it can be exported to a file and used during agent installation. The agents can log on to the AE system when they start the first time but they cannot automatically be used. The administrator must releaseReleases combine a set of activities and a set of packages as well as other release artifacts under a timeline (a plan including milestones and phases), which can be planned, baselined and tracked. them in the System OverviewThe UserInterface window that contains information about the Automation Engine system. of client 0000. By doing so, the Automation Engine automatically transfers the authentication packageA Package is an instance (a version, a revision, a tag, …) of your application and defines the content which you want to deploy. Here you decide, if you want to deploy the entire application or just a few specified components. via the line to the relevant agent. Only then is the agent authenticated and ready to use.
Server and agent

The Company Key must be determined during the Automation Engine installation. Some preparatory work is required to make sure that the agents can log on to the AE system. Create an Agent objectAutomation Engine controlled activities and processes are structured in the form of objects. See also: Task for each agent in system client 0000. Subsequently, export an authentication package and store it on the agent's computer for the installation. Now the agent is ready to use.

In order guarantee a top secure installation, Automic recommends transferring the authentication package to the agent either manually or via a secure line. Doing so ensures that potential hackers never obtain access to the authentication package via the network.

The authentication method you select affects the commands shown in the System Overview, category "Agent".

It is also possible to withdraw an authentication of an agent. Highlight the relevant agent in the System Overview of client 0000 and select the corresponding context menu command. The agent can no longer be used until it has been re-authenticated.

Settings

Encryption

By default, the highest possible encryption strength is activated. Log on to system client 0000 to adjust this strength or deactivate encryption. The variableIt stores or retrieves values dynamically at runtime. An individual Automation Engine object type. UC_AS_SETTINGS includes the key ENCRYPTION which serves this purpose.

Authentication

You can specify the authentication method while installing the AE system. Subsequent modification is also possible:

Compatibility

You can use former agent versionsAn application version holds zero or more deployment packages and may have dependencies to zero or more application versions of the same (or to different) applications in later versions of AE (such as a 10.0.0 agent can also be used in a 11.0.0 AE system). This requires your AE system to be at the latest hotfix level. The Automation Engine supports the extended encryption and authentication functions. Use the variable UC_AS_SETTINGS, key COMPATIBILITY to determine whether former components can participate in the communication.

When the compatibility option is deactivated (COMPATIBILITY=NO), the Job Messenger will only accept encrypted connections. Exempted are only connections from the local IP address and the IP addresses that are defined as an exception in the Attributes tab of the Agent object. For example, when you use eventAction that is triggered if particular conditions apply. It can be an Automation Engine object type or an entry in a Policy Orchestrator EventBase. monitors on z/OS in LPARs on different computers, you must enter the IP addresses of these computers in the Attributes tab
The agent retrieves the listShows entities in a grid view of local IP addresses from the local computer name which it obtains from the OS.

 

See also:

UC_AS_SETTINGS

 


Automic Documentation - Tutorials - Automic Blog - Resources - Training & Services - Automic YouTube Channel - Download Center - Support

Copyright © 2016 Automic Software GmbH