Security Algorithms

Verify Privilege Manager v11.1 introduced configurable security algorithms.

Configuration of security algorithms is managed via Admin | Configuration | Advanced under the Agent section. Refer to Advanced Tab.

IBM Security recommends that all customers update to SHA256 at this point.

Server-Targeted Settings

The following settings are targeted at the Verify Privilege Manager server.

Allowed agent event signature algorithms

This setting specifies what signature algorithms the server accepts when processing events from the agent. The new minimum standard for agents v11.1 events is XML RSA/SHA256. XML RSA/SHA1 is considered legacy support for older agent version only.

By default in v11.1 and up XML RSA/SHA256 and SHA1 are configured. Once your server only communicates with the latest agent version and all your policies/filters have been updated, SHA1 can be removed from the configuration.

Client item signature algorithms

This is the list of one or more signature algorithms the server will use when signing client items.

  • Legacy Value: XML RSA/SHA1
  • Default: Both XML RSA/SHA1 and XML RSA/SHA256.

Allowed client item signature algorithms

This setting specifies the signature algorithm(s) on tokens the server should accept for agent service calls.

Agent-Targeted Settings

These are settings that are targeted at agents, and will be part of agent configuration items. If the settings are not specified in the agent configuration contract XML, then the global setting will be sent to the agent.

Agent Event Signature Algorithm

This is the signature algorithm agents are instructed to use when signing XML events.

  • Legacy/unspecified: The legacy value is XML RSA/SHA1. Agents should continue using this if not specified in their configuration.
  • Default: XML RSA/SHA256

Inventory Hash Algorithms

These are the hash algorithms that agents should use when reporting inventory for resources.

The agent should always report as many hashes as possible from the configured set. Legacy hashes don’t do any harm except maybe take up a bit of space.

  • Legacy: The legacy values are mixed, some resources (like Folders) were using MD5, most files and other resources used SHA1.
  • Unset: If the agent doesn’t have a configuration value for this, it reports all hashes it can from the set of (MD5, SHA1, SHA256, Authenticode, Authenticode 2).
  • Default: MD5, SHA1, SHA256, Authenticode, and Authenticode2.

Authenticode is a Windows technology for signing executables, it essentially contains the hash of the raw executable before signing. For non-Windows OSes and non-Executable resources, this hash is ignored.