Upgrading and downgrading security
To give your organization the greatest possible flexibility, the system is installed with no security. Your organization can add these security features at any time.
Security features can be added only on the computer that runs the host server. To use advanced security, host server and client must be connected to a security server on a different computer.
To upgrade security, use the Security Upgrade utility.
- If you currently run the engine with no security, then you can upgrade to basic security or advanced security. Upgrading to advanced security automatically adds basic security.
- If you currently run the engine with basic security, then you can upgrade to advanced security.
Advanced security can be added only on a computer system that runs host server. To enable security administration, you must add advanced security to one and only one host server, no matter how many are included in your system. If your system already has basic security, then you must add advanced security on the same computer system where basic security is located.
The SecurityUpgrade.log file logs
information from the SecurityOptions
class. This class
contains the upgrade information. For example, "none to basic," "none to advanced," "basic
to advanced," and so on.
The SecurityUpgrade.log file is generated in the HCIROOT folder.
Notes
- In a system with multiple host servers, security features should be added to each host server.
- Certificates must be issued before any security upgrade.
Running CIS with basic or advanced security
In basic security, the IDE and host server establish a TLS 1.2 connection.
In advanced security, the IDE, host server, and security server establish a TLS 1.2 connection.
This connection uses TLS_DHE_DSS_WITH_AES_256_CBC_SHA256.
Upgrading/Downgrading from the command line
A mode
parameter is available on the command line for different
combinations of security upgrade/downgrade.