Help Center

Encryption of Inter-Node Traffic

Network Router communication traffic between Prognosis servers is, by default, encrypted using the AES256-CTR-SHA256 encryption algorithm (non FIPS). If required, FIPS encryption can be enabled on MS Windows servers, for details please refer to the Enabling FIPS Encryption.

It is not possible to disable encryption between MS Windows, Linux and Solaris platforms. However, it is possible to make use of the FORCE-LEGACY-CONNECTIONS and ALLOW-LEGACY-CONNECTIONS statements in the NETWORK Configuration to enable/disable encryption on connections to HPE NonStop, AIX and HP-UX platforms as described below.

FORCE-LEGACY-CONNECTIONS

On a HPE NonStop, AIX or HP-UX server, use the FORCE-LEGACY-CONNECTIONS statement to force all communications to and from the server to be unencrypted. With this setting enabled, the server will accept only unencrypted communications, rejecting encrypted connections.

SUBSYS NETWORK
...
FORCE-LEGACY-CONNECTIONS ()

When FORCE-LEGACY-CONNECTIONS is configured, an entry will be entered into the Audit Log: 'This node is configured to use unencrypted connections.'

ALLOW-LEGACY-CONNECTIONS

The ALLOW-LEGACY-CONNECTIONS () statement can be added to the receiving server (this can be any supported server type) in order to allow unencrypted connections to be accepted from one or more remote HPE NonStop, AIX or HP-UX servers.

SUBSYS NETWORK
...
ALLOW-LEGACY-CONNECTIONS ({<server-name>|*})

The statement will accept either a server name (IP address is not accepted) or an asterisk (*). Multiple server names can be added with individual statements or in a single statement using a comma separated list.

A server configured with FORCE-LEGACY-CONNECTIONS will only be able to communicate with a remote Prognosis server if the remote server is configured with either of the following:

a) FORCE-LEGACY-CONNECTIONS () or

b) ALLOW-LEGACY-CONNECTIONS (*)

When an unencrypted connection is established between two servers, an entry will be added to the Audit Log for both servers: 'Establishing an unencrypted connection to Prognosis node \NODE1.'

After making configuration changes to the encryption of communication links, it is recommended that the Prognosis server be restarted. This ensures that all communications are established using the required level of encryption.
Provide feedback on this article