5 1 0:Disabling unsecure transport modes

From SEPsesam


Welcome to the latest SEP sesam documentation version 5.1.0 Apollon. For previous documentation version(s), check documentation archive.


Overview


To protect your data traffic against theft and other threats, it is highly recommended to use the HTTPS protocol for transferring data over the network. HTTPS connections use the Transport Layer Security (TLS) cryptographic protocol, which employs encryption to protect the data, authentication to verify the identity of the parties involved, and integrity checks to ensure that the data has not been tampered with during transmission.

SEP sesam now supports HTTPS protocol for all control commands and network traffic. The HTTP and FTP interfaces can be switched off and all data traffic is performed over HTTPS interfaces.

Before you can disable HTTP and FTP interfaces, make sure to check existing tasks and events (backups, restores or migrations) and move them to HTTPS interfaces if necessary. You cannot remove an interface that is still in use.

Note
On Windows systems with a CPU that does not support AVX, the Sesam Transfer Protocol Server (STPD) automatically disables the HTTPS port. Consequently, the TLS key and certificate cannot be created. For more information refer to Known issues and limitations in version 5.0.0 Jaglion.

Deactivating the unsecure interfaces

To deactivate the HTTP and FTP interfaces and move the traffic to HTTPS, you need to disable the ports on the SEP sesam Server and all RDS and then remove the interfaces in SEP sesam configuration.

Disable the TLS 1.1

The STPD service still supports TLS version 1.1, which is widely deprecated and should not be used. To enhance security, you can remove TLS 1.1 support and ensure that a newer version of TLS is used for communication between SEP sesam components.

  1. Locate the <sesam_var>/ini/stpd.ini file on the SEP sesam Server and on each RDS.
  2. Open the stpd.ini file using a text editor and add the following entry under section STPD Server:
  3. [STPD_Server]
    STPD_HTTPS_PRIORITY_STRING="NORMAL:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-SSL3.0:-3DES-CBC:-DES-CBC:%SERVER_PRECEDENCE"
    
  4. Save your changes and restart the server for the changes to take effect.

Disable the HTTP and FTP ports

  1. Locate the <sesam_var>/ini/stpd.ini file on the SEP sesam Server and on each RDS.
  2. Open the stpd.ini file using a text editor and comment out the unsecure ports (add the # symbol at the beggining of the row):
    [STPD_Server]
    # STPD_PORT=11001
    # STPD_HTTP_PORT=11000
    STPD_HTTPS_PORT=11443
    
    Only HTTPS port 11443 remains active.
  3. Save your changes and restart the server for the changes to take effect.

Remove the HTTP and FTP interfaces

On SEP sesam Server and all RDS you can remove all unsecure interfaces that use HTTP or FTP protocols.

  1. In the Main selection -> Components -> Clients, locate and right-click your SEP sesam Server and select Properties.
  2. In the list of configured interfaces delete the unsecure interfaces you no longer want to use.
  3. Click Apply to save the changes.
  4. Repeat this procedure also for all RDS as required.

If an existing task or event (backup, restore or migration) still uses the interface you want to remove, a warning is displayed and SEP sesam does not delete the interface.

In this case find the task or event using this interface and switch it to a secure interface. You can also empty the Interface field (select blank value) to use any of available interfaces configured on the SEP sesam Server.

Setting HTTPS interfaces for migrations

To replace the HTTP and FTP interfaces with secure HTTPS protocol for migrations, set the global variable keys in the Web UI as follows:

  1. In the navigation menu, click System Configuration -> System Settings.
  2. Click [+ New] to add the following keys to the global settings (or modify their values if they already exist):
    gv_default_interface_prefix|sesam|https
    gv_default_interface_prefix_ext|sesam|https
    where value=https specifies that the HTTPS protocol is used for both source and destination during migration, and sesam is the username.
Tip
Alternatively, you can use the following CLI commands:
sm_glbv w gv_default_interface_prefix https
sm_glbv w gv_default_interface_prefix_ext https

Setting HTTPS as default when aborting active data transfer

By default, SEP sesam always aborts data transfer (backup, restore, migration) over FTP. When you disable the port 11001, which is used for FTP traffic, these commands no longer work. You can set a global variable to use the HTTPS transport mode to abort an active data transfer.

You can set HTTPS as default by adding (or modifying) the following key in the global settings in the Web UI:

  1. In the navigation menu, click System Configuration -> System Settings.
  2. Click [+ New system setting] to add the following key to the global settings (or modify the key value, if it already exists):
    gv_conf_use_com_stpd_kill|sesam|https
    where value=https means that the HTTPS protocol is used for aborting active data transfers and sesam is the user name.


See also

Configuring SSL Secured Communication for SEP sesam Backup Network - Ransomware Protection Best PracticesBackup Strategy Best Practices

Copyright © SEP AG 1999-2024. All rights reserved.
Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.