Cipher Settings

Configuration > Overlays & Security > Security > Cipher Settings

Cipher Profile settings allow you to restrict the use of certain ciphers for the Orchestrator and EdgeConnect OS (ECOS) services that use cryptography, as outlined in the following table.

Cryptographic Service System Applicability
TLS Orchestrator and ECOS Orchestrator acts as a client or a server in various TLS connection use cases.
Tunnels ECOS EdgeConnect IPSec tunnels
SSH ECOS EdgeConnect CLI
Certificate Orchestrator and ECOS Orchestrator web server, EdgeConnect web server, Syslog client, and IKE-based IPSec tunnels
SNMP ECOS The EdgeConnect SNMP interface supports Management Information Base II (MIB-II) as described in RFC 1213. This interface is used to receive notifications or traps from the appliance whenever an alarm is raised or cleared. SNMP is not used for configuration.
NTP ECOS Secure NTP is available starting with ECOS Release 9.4.2.
Cluster ECOS The cluster feature was introduced in Orchestrator Release 9.5.2; security configuration is performed in the Cipher Profile settings in Orchestrator Release 9.6.0.

Cipher restrictions are applied to cryptographic services using a Cipher Profile. Some cryptographic services apply to both Orchestrator and EdgeConnect OS (ECOS) and some apply only to ECOS.

Cipher Profile settings determine which ciphers, algorithms, or parameters are allowed to be used by services requiring cryptographic functions. Changing the Cipher Profile settings may or may not change the ciphers used in existing connections and configurations.

IMPORTANT: For cryptographic services that require direct configuration, such as ECOS IPSec tunnels, you must manually change the configuration of the service before activating Cipher Profile changes.

This topic describes the following:

Service Impacts of Activating Cipher Profiles

The following table describes the impact to Orchestrator and ECOS for each cryptographic service when a Cipher Profile is activated, and actions the user must take to modify the service configuration.

Cryptographic Service Impact to Orchestrator Impact to ECOS
TLS Changing the Cipher Profile changes the service configuration.

You must validate the profile changes before applying them using the Validate button.

After changing the Cipher Profile, existing TLS sessions remain up.

Self-Hosted/On Prem Orchestrators:
Perform a service gms restart using the Orchestrator CLI, at which point existing TLS sessions are dropped. After the gms service is restarted, TLS sessions are automatically reestablished with the new Cipher Profile settings.

Orchestrator-as-a-Service:
Changing the Cipher Profile only affects services for which Orchestrator is client, such as API connections to third-party services. You will need to open a TAC case to restart the Orchestrator as a Service (OaaS) to have TLS Cipher Profile changes take effect.		 Changing the Cipher Profile changes the service configuration.

You must validate the profile changes before applying them using the Validate button.

After changing the Cipher Profile, TLS sessions are dropped and reestablished.
Tunnels Not applicable Changing the Cipher Profile DOES NOT change the service configuration for any use case.

You must perform tunnel configurations before changing the Cipher Profile, and you must explicitly validate the service configuration against the intended (to be activated) Cipher Profile.

IMPORTANT: Existing tunnels, established with settings that will be disallowed in the intended Cipher Profile, will be DROPPED when the new Cipher Profile is activated.
SSH For self-hosted/on-prem Orchestrators, SSH configuration is performed at the Linux level via the SSH config file; Cipher Profile settings do not apply.

SSH does not apply to Orchestrator-as-a-Service.		 Changing the Cipher Profile changes the service configuration.

ECOS SSH configuration is orchestrated via the Cipher Profile settings. There is no need to configure via CLI.
Certificate Existing end entity certificates configured with settings not allowed in the new/intended Cipher Profile will be invalid and not usable.

You must validate the profile changes before applying them using the Validate button.		 Existing end entity certificates configured with settings not allowed in the new/intended Cipher Profile will be invalid and not usable.

You must validate the profile changes before applying them using the Validate button.
SNMP Not applicable Starting with Orchestrator Release 9.5.4, ECOS SNMP configuration is performed via Orchestrator templates or via the Cipher Profile settings.
NTP Not applicable ECOS NTP server configuration is performed via Orchestrator templates. NTP secure algorithm parameters are configured via CLI and must be validated by the user before changing the service configuration.
Cluster Not applicable Changing the Cipher Profile changes the service configuration.

The cluster feature was introduced in Orchestrator Release 9.5.2 with fixed cryptographic settings. Security configuration is performed in the Cipher Profile settings starting with Orchestrator Release 9.6.0.

NOTE: The Validate action (button) provides feedback on the compatibility of HTTPS server certificates indicating if the new Cipher Profile will work with existing TLS connections. Whether the Validate function returns a pass or fail, you can still execute the profile change. The Validate action DOES NOT verify other services such as tunnels.

For more information on EdgeConnect SD-WAN Cipher Profiles and cryptographic algorithms, see the Security Algorithms and Cipher Profiles PDF.

Preconfigured Cipher Profiles

Orchestrator provides four preconfigured Cipher Profiles.

The following figure shows the comparative restrictiveness of the preconfigured Cipher Profiles.

img

The preconfigured Cipher Profiles cannot be edited. You can create a custom profile by cloning one of the preconfigured profiles and then editing it to match your requirements. You should clone the preconfigured profile that is the closest to your required enterprise security policy.

NOTE: As of Orchestrator Releases 9.4.4 and 9.5.4, the FIPS and Common Criteria Profiles are identical.

Cipher Settings Tab

Use the Cipher Settings tab to configure Cipher Profiles. The following table describes the fields displayed on this tab for each Cipher Profile.

Field Description
Edit Contains an edit button for cloned Cipher Profiles. No edit button is available for the four preconfigured profiles (Default, CSfC, FIPS, and Common Criteria) because those cannot be edited.
Profile Name The profile name. For cloned profiles, this name is entered by the user when they clone a profile.
Comment For the four preconfigured profiles, this is a description of the profile and indicates if it contains cipher restrictions to meet specific requirements. For cloned profiles, this shows the text the user enters in the Comments field for the profile.
Actions Contains the user action buttons Validate, View, and Clone. When a profile is active, the Validate button turns green and the text toggles to “Active” to indicate that the profile has been activated.

You can use the Cipher Settings tab to view, clone, edit, validate and then activate, and delete Cipher Profiles.

  • To view the cipher restrictions associated with a Cipher Profile, click View. This only allows you to view the profile. It does not allow you to edit the profile.

  • To clone a Cipher Profile, click Clone.

  • To edit a cloned Cipher Profile, click the edit icon for the profile. For more information on cloning and editing a Cipher Profile, see Edit a Cloned Cipher Profile.

  • To validate a Cipher Profile, click Validate.

    • The Validate <profile name> dialog box opens.

    • What is validated: Only Orchestrator and ECOS end-entity HTTPS Server Certificates are checked for compatibility against the profile.

    • What is not validated: All other services.

    • When validation is complete, the Activate button on the dialog box is enabled. Apply the Cipher Profile by clicking Activate. Only one Cipher Profile can be active at a time.

    IMPORTANT: For services that require direct configuration, such as ECOS IPSec tunnels, you must manually change the service configuration before activating any Cipher Profile changes.

    NOTE: The Validate action (button) provides feedback on the compatibility of HTTPS server certificates indicating if the new Cipher Profile will work with existing TLS connections. Whether the Validate function returns a pass or fail indication the user can still execute the profile change. The Validate action DOES NOT verify other services such as tunnels.

  • To delete a cloned Cipher Profile, click the X for the profile. You cannot delete the four preconfigured Cipher Profiles.

Edit a Cloned Cipher Profile

To edit the cipher settings for a cloned Cipher Profile:

  1. Navigate to Configuration > Overlays & Security > Security > Cipher Settings.

  2. Click the edit icon for the cloned Cipher Profile you want to edit.

    The Cipher Profiles dialog box opens.

  3. Click the cryptographic service for which you want to edit cipher settings: TLS, Tunnels (ECOS), SSH (ECOS), Certificate, SNMP (ECOS), NTP (ECOS), Cluster Settings.

  4. Edit the cipher settings for the cryptographic service. Click the following links to learn more about the cipher settings for each cryptographic service:

  5. Click Save.

TLS Settings

TLS settings apply to both Orchestrator and EdgeConnect. There are two sections for the TLS profile settings, Cipher Suites and Advanced Properties. In the Cipher Suites section, you choose algorithms available for the following services: key exchange, encryption, and hash function. These building blocks form the composite cipher suites, which are shown in the Enabled and Disabled sections on the following figure. When editing the TLS settings, you can enable or disable the algorithms or the composite cipher suites.

To select an algorithm for a service, drag it from the Disabled to the Enabled column. When you enable an algorithm, any cipher suites that contain those algorithms move from Disabled to Enabled. The order that cipher suites appear in the Enabled column does not indicate the order in which the system (TLS server) offers them; all cipher suites that appear in the Enabled column are available for TLS.

The following table describes the TLS settings in the Cipher Suites section.

Setting Description Options
Key exchange algorithm The algorithms available for Orchestrator to use to establish secure TLS connections. NONE
ECDHE_ECDSA
ECDHE_RSA
DHE_RSA
RSA (disabled by default)
Encryption algorithm The algorithms available for Orchestrator to use to encrypt data being sent during a TLS session. AES_128_GCM
AES_256_GCM
AES_128_CCM
AES_128_CCM_8 (disabled by default)
AES_256_CBC (disabled by default)
AES_256_CCM (disabled by default)
AES_128_CBC (disabled by default)
AES_256_CCM_8 (disabled by default)
Hash function The secure hash algorithms available for Orchestrator to use for data integrity SHA256
SHA384
SHA (disabled by default).

The following table describes the TLS settings in the Advanced Properties section.

Setting Description Options
Min DH Key length The minimum length of the Diffie-Hellman key for Orchestrator when establishing secure TLS connections. 2048 (default)
3072
4096
Enable Session resumption Enable/disable session resumption for TLS. Select or clear the check box.

If enabled, an existing TLS secure session can be “reused.” This allows for faster session establishment. TLS session resumption is not allowed in CSfC.		 Enabled or disabled
Named Curves To customize, click Custom and select the check boxes for the named curves to have available. Custom options:
secp224r1
secp256r1 (default)
secp384r1
secp521r1
ffdhe2048
ffdhe3072
ffdhe4096
ffdhe6144
ffdhe8192

Validate TLS Settings on Self-Hosted/On-Prem Orchestrators

For self-hosted/on-premises Orchestrators, changing the TLS Cipher Profile settings changes the service configuration for all Orchestrator TLS connections. The user must validate proposed changes before activation. When connecting to a third-party service, it is important to understand the cipher options that the third-party service offers and ensure the TLS Cipher Profile is in alignment.

When the TLS Cipher Profile settings are changed, existing TLS sessions remain up. The user must perform service gms restart using the Orchestrator CLI, at which point existing TLS sessions are dropped.

After the gms service is restarted, TLS sessions are automatically reestablished with the new Cipher Profile settings.

Validate TLS Settings on Orchestrator-as-a-Service

For OaaS, changing the TLS Cipher Profile settings only affects services for which Orchestrator is the client, such as API connections to third-party services and HTTPS or Syslog remote receiver connections.

The user must validate proposed changes before activation. When connecting to a third-party service, it is important to understand the cipher options that the third-party service offers and ensure the TLS Cipher Profile is in alignment.

Users need to open a TAC case to restart their OaaS to have TLS Cipher Profile changes take effect. After TAC restarts the OaaS, TLS sessions are automatically reestablished with the new Cipher Profile settings.

Validate TLS Settings on ECOS

Changing the TLS Cipher Profile settings changes the service for all ECOS TLS connections. The user must validate proposed changes before activation. After Cipher Profile changes are activated, ECOS resets all TLS connections automatically.

Tunnels (ECOS) Settings

The Cipher Profile settings for Tunnels apply to all tunnel types:

  • Orchestrated underlay tunnels
    • IPSec UDP (IPSec phase only)
    • IKE-based, IPSec underlay tunnels
  • Orchestrated IKE-based, IPsec passthrough tunnels to select SSE services (HPE SSE, Zscaler, Netskope, etc.)
  • Unified Fabric, HPE ANW Central tunnels (requires Orchestrator release 9.5.4 or later)
  • Service Orchestration constructed, EdgeConnect-to-third party passthrough tunnels
  • Manually constructed, EdgeConnect-to-EdgeConnect tunnels
  • Manually constructed, EdgeConnect-to-third party passthrough tunnels

For Cipher Profile settings for Tunnels, there are two sections, IKE and IPSEC. The IKE section only applies to IKE-based IPSec tunnels and does not apply to IPSec UDP tunnels. To enable an algorithm, select its associated check box. All tunnel algorithms are enabled in the default profile.

Setting Description Options
IKE Minimum Pre-Shared Key (PSK) length The required minimum length of the IKE PSK (bytes).

Enter a numeral in the range of 8-64.		 8-64 bytes
(8 bytes is the default.)
IKE Authentication Algorithms The authentication algorithms available for the IKE security association (SA). SHA-1 (default)
SHA2-256
SHA2-384
SHA2-512
IKE Encryption Algorithms The encryption algorithms available for the IKE security association (SA). AES-CBC-256
AES-CBC-128
AES-GCM-128
AES-GCM-256 (Auto is the default.)
IKE Diffie-Hellman Group The Diffie-Helman groups available for IKE security association (SA). 1
2
5
14 (default)
15
16
17
18
19
20
21
26
31
IKE Pseudo Random Function The secure hash algorithms available for EdgeConnect IKE-based IPSec tunnels to use for pseudo random function. SHA2-256 (default when AES-GCM-128 is selected for Encryption/Authentication)
SHA2-384 (default when AES-GCM-256 is selected for Encryption/Authentication)
SHA2-512
IPSEC Authentication Algorithms The authentication algorithms available for EdgeConnect IPSec tunnels to use for IPSec security association (SA). SHA-1 (default)
SHA2-256
SHA2-384
SHA2-512
AES-GMAC-128
AES-GMAC-256
IPSEC Encryption Algorithms The encryption algorithms available for EdgeConnect IPSec tunnels to use for IPSec security association (SA). AES-CBC-256 (default)
AES-CBC-128
AES-GCM-128
AES-GCM-256
IPSEC Perfect Forward Secrecy The Diffie-Hellman groups available for EdgeConnect IPSec tunnels to use for IPSec security association (SA) negotiation. 1
2
5
14 (default)
15
16
17
18
19
20
21
26
31

NOTE: Changing the Tunnel Cipher Profile settings DOES NOT change the service configuration for any ECOS Tunnels.

Tunnel configurations must be performed prior to changing the Cipher Profile. The user must explicitly validate the service configuration against the intended (to be activated) Cipher Profile. ALL pre-existing tunnels, established with settings that will be disallowed in the intended (to be activated) Cipher Profile, will be DROPPED when the new Cipher Profile is activated.

Avoid Dropped Tunnels When Changing Cipher Profile Tunnel Settings

To avoid dropped tunnels when you change the Cipher Profile Tunnel settings, perform the following steps. These instructions reflect an Orchestrator that is starting with all default values, and the Default Cipher Profile is active.

  1. Review the settings for the preconfigured Cipher Profiles (Default, FIPS, Common Criteria, and CSfC) to determine which profile has settings that are closest to your enterprise target security policy.

    NOTE: The Default, FIPS, and Common Criteria profiles have all algorithm options enabled for Tunnels (ECOS) settings. This is subject to change in future releases.

  2. If none of the preconfigured profiles match the target security policy, clone the profile that is closest to the target.

  3. Note any algorithms you plan to enable or disable for the Tunnels service.

  4. Edit the cloned profile and make the necessary changes, but do not activate it yet.

  5. After editing the cloned profile, you must implement the desired tunnel setting changes for all tunnel types. Click the following links for instructions on implementing tunnel settings changes for each tunnel type.

IMPORTANT: To avoid dropped tunnels, you must implement tunnel setting changes before you activate the Cipher Profile.

Implement Tunnel Setting Changes for Orchestrated Underlay Tunnels for ALL Labels

In Orchestrator, navigate to Orchestrator > Orchestrator Server > Tools > Tunnel Settings.

Orchestrated IPSec UDP Underlay Tunnels

  • IPSec UDP is the default for Orchestrated Underlay Tunnels

  • Only IPSec phase applies

General tab: No changes are required if you will continue to use IPSec UDP tunnels.

IPSec tab: There are two algorithms that correspond to Cipher Profile tunnel settings: Authentication algorithm and Encryption algorithm. Ensure that both settings use algorithms allowed in the Cipher Profile you plan to activate. The following figure shows the out-of-the-box default values. If for example, the new Cipher Profile disallows SH1 and CBC-128, you can change to the recommended setting of AES-GCM-256.

Orchestrated IKE-based IPSec Underlay Tunnels

Customers who require FIPS, Common Criteria, and/or CSfC compliance, can use standard, IKE-based IPsec tunnels.

NOTE: When configuring the IKE and IPSec encryption algorithms for FIPS and Common Criteria Compliance, the strength of the IKE algorithms must be greater than or equal to the IPSec algorithms.

The following table shows an example of a supported and valid configuration.

Setting IKE-phase value IPsec-phase value
Authentication Algorithm n/a n/a
Encryption Algorithm AES-256-GCM-16 AES-256-GCM-16
Diffie-Hellman Group DH 19 DH 19

The following table shows an example of a configuration that is unsupported and invalid because the IKE phase setting is cryptographically weaker than the IPSec phase setting.

Setting IKE-phase value IPsec-phase value
Authentication Algorithm n/a n/a
Encryption Algorithm AES-128-GCM-16 AES-256-GCM-16
Diffie-Hellman Group DH 18 DH 14

General tab: To select IKE-based IPSec tunnels for a specific label, from the Mode menu select IPSec. No other changes are needed on the General tab, unless the IPSec Suite B option is selected (only available for IKE-based IPSec Tunnels).

NOTE: GCM-256 is recommended. GMAC options cover authentication only and do not provide encryption.

IKE tab: For IKE-based IPSec tunnels, there are three algorithms that correspond to Cipher Profile tunnel settings: Authentication algorithm, Encryption algorithm, and Diffie-Hellman group. Ensure these settings use algorithms allowed in the Cipher Profile you plan to activate.

IPSec tab: For IKE-based IPSec tunnels, there are three algorithms that correspond to Cipher Profile tunnel settings: Authentication algorithm, Encryption algorithm, and Perfect forward secrecy group. Ensure these settings use algorithms allowed in the Cipher Profile you plan to activate.

Implement Tunnel Setting Changes for Orchestrated IKE-based, IPSec Passthrough Tunnels to Select SSE Services (HPE SSE, Zscaler, Netskope, etc.)

Tunnels are orchestrated for specific SSE services such as HPE SSE, Zscaler, and Netskope, and for Infrastructure as a Service (IaaS) cloud services AWS and Azure. Service Orchestration is used to automate the integration of third-party service providers without an API.

For each service, navigate to the tunnel settings for that service. Perform the actions outlined in the following table on the algorithms for each subsection (General, IKE, and IPSec) to ensure the settings use algorithms that are enabled in the Cipher Profile you plan to activate.

Tab Action
General tab No changes are needed.
IKE tab For IKE-based IPSec tunnels, there are three algorithms that correspond to Cipher Profile tunnel settings:
Authentication algorithm
Encryption algorithm
Diffie-Helman (DH) group

Ensure these settings use algorithms that are enabled in the Cipher Profile you plan to activate.
IPSec tab For IKE-based IPSec tunnels, there are three algorithms that correspond to Cipher Profile tunnel settings:
Authentication algorithm
Encryption algorithm
Perfect forward secrecy group

Ensure these settings use algorithms that are enabled in the Cipher Profile you plan to activate.

You must also verify the allowable range of algorithm parameters for any partner service. Changing the Cipher Profile settings affects the EdgeConnect end of the tunnel, and you must verify that any changes are compatible with the partner service.

Follow the instructions for each service that you partner with to verify the changes you made to the Cipher Profile settings are compatible with that service.

  • AWS Network Manager

    1. In Orchestrator, navigate to Configuration > Cloud Services > AWS Network Manager.

    2. Click Tunnel Settings.

  • HPE SSE

    1. In Orchestrator, navigate to Configuration > Cloud Services > HPE SSE.

    2. Click Tunnel Settings.

  • Microsoft Azure Virtual WAN

    1. In Orchestrator, navigate to Configuration > Cloud Services > Azure Network Manager.

    2. Click On-prem Gateways.

    3. Click Tunnel Settings.

  • Zscaler Internet Access

    1. In Orchestrator, navigate to Configuration > Cloud Services > Zscaler Internet Access.

    2. Click Tunnel Settings.

  • Netskope

    1. In Orchestrator, navigate to Configuration > Cloud Services > Netskope.

    2. Click Tunnel Settings.

  • Service Orchestration Constructed EdgeConnect-to-Third Party Passthrough Tunnels

    1. For services created within Service Orchestration, navigate to Configuration > Cloud Services > Service Orchestration.

    2. Click the tab for the service (if configured).

    3. Click Tunnel Settings.

Implement Tunnel Setting Changes for Unified Fabric, HPE ANW Central Tunnels

Unified Fabric, which supports tunnels between EdgeConnect and SD-Branch was introduced in Orchestrator Release 9.5.2.

Cipher Profiles were introduced in Orchestrator 9.5.4, however the Cipher Profile tunnel settings are not communicated to HPE Aruba Networking Central Overlay Tunnel Orchestrator (OTO). With Orchestrator and ECOS Release 9.5.4+, the following algorithms are used by HPE Aruba Networking Central and must be enabled in the Cipher Profile tunnel settings:

  • Authentication: SHA1

  • Encryption: AES-256-CBC

Starting with Release 9.6.0, ECOS sends the authentication and encryption methods to HPE Aruba Networking Central OTO. When a subsequent change is made to the Cipher Profile tunnel settings, for example to disallow SHA1, ECOS sends a resync message to OTO.

Implement Tunnel Setting Changes for Manually Constructed, EdgeConnect-to-EdgeConnect Tunnels

  1. In Orchestrator, navigate to Configuration > Networking > Tunnels > Tunnels.

  2. Click the edit icon next to the appliance for which you want to add or modify a tunnel. The Tunnels dialog box opens.

    NOTE: To modify a tunnel, click the edit icon next to the tunnel. The Modify Tunnel dialog box opens.

  3. Click Underlay.

  4. Click Add Tunnel.

    The Add Tunnel dialog box opens.

  5. Perform the actions in the following table for each subsection (General, IKE, and IPSec) to ensure the settings use algorithms that are enabled in the Cipher Profile you plan to activate.

Tab Action
General tab No changes are needed.
IKE tab For IKE-based IPSec tunnels, there are three algorithms that correspond to Cipher Profile tunnel settings:
Authentication algorithm
Encryption algorithm
Diffie-Helman (DH) group

Ensure these settings use algorithms that are enabled in the Cipher Profile you plan to activate.
IPSec tab For IKE-based IPSec tunnels, there are three algorithms that correspond to Cipher Profile tunnel settings:
Authentication algorithm
Encryption algorithm
Perfect forward secrecy group

Ensure these settings use algorithms that are enabled in the Cipher Profile you plan to activate.

Implement Tunnel Setting Changes for Manually Constructed, EdgeConnect-to-Third Party Passthrough Tunnels

  1. In Orchestrator, navigate to Configuration > Networking > Tunnels > Tunnels.

  2. Click the edit icon next to the appliance for which you want to add or modify a tunnel.

    The Tunnels dialog box opens.

    NOTE: To modify a tunnel, click the edit icon next to the tunnel. The Modify Tunnel dialog box opens.

  3. Click Passthrough.

  4. Click Add Tunnel.

    The Add Passthrough Tunnel dialog box opens.

  5. Perform the actions in the following table for each subsection (General, IKE, and IPSec) to ensure the settings use algorithms that are enabled in the Cipher Profile you plan to activate.

Tab Action
General tab No changes are needed.
IKE tab For IKE-based IPSec tunnels, there are three algorithms that correspond to Cipher Profile tunnel settings:
Authentication algorithm
Encryption algorithm
Diffie-Helman (DH) group

Ensure these settings use algorithms that are enabled in the Cipher Profile you plan to activate.
IPSec tab For IKE-based IPSec tunnels, there are three algorithms that correspond to Cipher Profile tunnel settings:
Authentication algorithm
Encryption algorithm
Perfect forward secrecy group

Ensure these settings use algorithms that are enabled in the Cipher Profile you plan to activate.

Troubleshoot Dropped Tunnels When Changing Cipher Profile Tunnel Settings

If you do not follow the recommended order of operations when changing Cipher Profile settings, tunnels that use algorithms that are disallowed by the active Cipher Profile will drop. If this happens, you can expect to see the following.

Alarms

If tunnels drop due to disallowed Cipher Profile settings, Orchestrator generates an alarm for each tunnel that drops. To view the alarm description and recommended actions, navigate to Monitoring > Summary > Alarms.

Tunnels Tab Status

On the Tunnels tab, tunnels that dropped due to disallowed ciphers show a status of “down - bad” in the Status column.

Tunnel Settings Error Messages

If tunnels drop due to disallowed Cipher Profile settings, you need to manually correct the tunnel settings (Orchestrator > Orchestrator Server > Tools > Tunnel Settings). When attempting to save corrections for a single label, error messages appear on the dialog box for all nonconforming labels whether there are tunnels built for those labels or not, as shown in the following figure. You must correct the tunnel settings for each label to ensure they comply with the active Cipher Profile before you can click Save.

img

SSH (ECOS) Settings

To make an algorithm available for SSH service, select its associated check box.

Setting Description Options
Key Exchange Algorithms The algorithms available for EdgeConnect to use to establish a secure connection to the appliance CLI. diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
Encryption Algorithms The algorithms available for EdgeConnect to use to encrypt data being sent to the appliance CLI. aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
HMAC Algorithms The Hash-based Message Authentication Code (HMAC) algorithms available for EdgeConnect to use when connecting to the appliance CLI. hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
Host Key Algorithms   ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
ssh-ed25519-cert-v01@openssh.com
rsa-sha2-512-cert-v01@openssh.com
rsa-sha2-256-cert-v01@openssh.com
ssh-rsa-cert-v01@openssh.com
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
ssh-ed25519
rsa-sha2-512
rsa-sha2-256
ssh-rsa
CA Sign Algorithms   ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
ssh-ed25519
rsa-sha2-512
rsa-sha2-256
ssh-rsa
Public Key Algorithms   ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
ssh-ed25519-cert-v01@openssh.com
rsa-sha2-512-cert-v01@openssh.com
rsa-sha2-256-cert-v01@openssh.com
ssh-rsa-cert-v01@openssh.com
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
ssh-ed25519
rsa-sha2-512
rsa-sha2-256
ssh-rsa

Configure SSH on ECOS

ECOS SSH configuration is orchestrated via the Cipher Profile settings. While still an option, there is no need to configure via CLI.

Certificate Settings

The certificate settings apply to end-entity certificates for both Orchestrator and EdgeConnect.

Setting Description Options
Fail connection on OCSP undetermined When a certificate is uploaded in Orchestrator, the Online Certificate Status Protocol (OCSP) is run by Orchestrator and EdgeConnect to verify the status of the certificate. If communication cannot be established with the OCSP server, then the revocation check is ignored, but the connection does not necessarily fail.

When this setting is enabled, if communication cannot be established with the OCSP server then the connection will fail.		 Enable or disable
Min RSA Key length Indicates minimum RSA key length for certificates. 2048 (default)
3072
4096
Min EC Key length   224
256 (default)
384
521
ECC Curves   Custom options:
secp224r1 (included in default profile)
secp256r1 (included in default profile)
secp384r1 (included in default profile)
secp521r1 (included in default profile)
HMAC Algorithms   Custom options:
sha1 (included in default profile)
sha256 (included in default profile)
sha384 (included in default profile)
sha512 (included in default profile)

NOTE: If ECOS is using a Certificate with key length 2048, it can talk to other TLS servers using a longer key length of 3072 (CSfC-compliant) certificates.

When applying a Cipher Profile, Orchestrator checks the ECOS TLS client to determine if it has a valid certificate. If ECOS does not have a valid certificate, the Cipher Profile will NOT be applied, and Orchestrator will raise an alarm. During the time of Zero Touch Provisioning (initial deployment), the ECOS TLS client will accept a server certificate, for example key length of 3072, even if ECOS does not yet have the CSfC Cipher Profile activated. This will enable initial communications for ECOS to Cloud Portal and ECOS to Orchestrator.

Configure Certificates on Orchestrator and ECOS

For information on configuring certificates, see End Entity Certificates Tab and End Entity Certificate Validation at the Time of Upload.

SNMP (ECOS) Settings

To make an algorithm available for an SNMP service to use, select its associated check box.

Setting Description Options
Encryption Algorithms The encryption algorithms available for EdgeConnect to use to for SNMP service. AES-CBC-128
AES-CBC-256
Hash Algorithms The secure hash algorithms available for EdgeConnect to use for SNMP service. SHA-1
SHA2-256
SHA2-384
SHA2-512

Configure SNMP on ECOS

Starting with Orchestrator Release 9.5.4, SNMP configuration is performed via Orchestrator templates or via the Cipher Profile settings.

  • If Cipher Profile settings change, and any SNMP configuration uses privacy algorithms that are no longer valid, the system overwrites the hash algorithms to use one of the values allowed in the Cipher Profile.

  • Similarly, if the SNMP configuration is changed to set hash and privacy algorithms, the system performs a check at the ECOS end to ensure the values are WRT allowed values and if they are not, Orchestrator overwrites the values.

NTP (ECOS) Settings

For NTP, you can select the algorithms available for EdgeConnect to use for network time protocol (SHA2-265, SHA2-384, and SHA2-512). To make an algorithm available for the NTP service to use, select its associated check box.

Configure NTP on ECOS

EdgeConnect OS supports NTP and manual time setting. NTP server can be set up for all appliances in the SD-WAN fabric using the Orchestrator template. However, Secure NTP requires configuration via the CLI.

Set Up NTP Servers Using the Orchestrator Template

Set up the NTP servers for all EdgeConnect appliances in the SD-WAN fabric using the Orchestrator Date/Time Template. For more information, see Date/Time Setting.

Configure Secure NTP via the CLI

Secure NTP Parameters

  • Key id can be between 1-255.

  • Algorithm is recommended to be SHA384.

  • Pre-shared key can be any string. There is no restriction on string length or character composition.

Secure NTP Procedure

  1. Authenticate to the EdgeConnect CLI/SSH.

  2. Execute enable

  3. Execute configure terminal

  4. Add PSKs to the appliance:

    Execute ntp key <Key id> <Algo> <pre shared key>

    Example: ntp key 10 sha384 uwefh8239hngli28

  5. Select one of the keys to securely connect:

    NOTE: You can only select keys from the list of available keys.

    To see the list of available keys:

    Execute show ntp key

    Execute ntp select-key <Key id>

    Example: ntp select-key 10

  6. Restart the ntpd service:

    Execute: pm process ntpd restart

Optional CLI commands for secure NTP:

  • Delete a Key: Execute no ntp key <key id>

  • Displays all the ntp keys: Execute show ntp key

  • Displays a specific key: Execute show ntp key <key id>

Manual NTP Server Setup

To manually set the NTP server for a single EdgeConnect appliance:

  1. Execute ntp server <IP address> version 4

  2. Execute ntp enable

  3. Execute write memory

Manually Change Appliance Time or Date

  1. Authenticate to the EdgeConnect CLI/SSH.

  2. Execute enable

  3. Execute configure terminal

  4. Execute clock set hh:mm:ss yyyy/mm/dd

  5. Execute write memory

Cluster Settings

To make an algorithm available for the Cluster service to use, select its associated check box.

Setting Description Options
Encryption Algorithm The encryption algorithms available for Orchestrator and EdgeConnect to use for Clusters. AES-CBC-256
AES-CBC-128
AES-GCM-128
AES-GCM-256
Authentication Algorithm The authentication algorithms available for Orchestrator and EdgeConnect to use for Clusters. SHA-1
SHA2-256
SHA2-384
SHA2-512
AES-GMAC-128
AES-GMAC-256

Configure Clusters on Orchestrator

For information on configuring Clusters, see Cluster Profiles and Clusters.

NOTE: Cluster security is only configured via Cipher Profile settings starting with Orchestrator Release 9.6.0.