Configuring security settings
Sections
Ensure your PE environment is secure by configuring security settings.
Configure cipher suites
Due to regulatory compliance or other security requirements, you may need to change which cipher suites your SSL-enabled PE services use to communicate with other PE components. See Compatible ciphers to ensure your ciphers are compatible with PE.
To add or remove cipher suites for certain types of services, use Hiera to add an array of ciphers to these parameters:
puppet_enterprise::ssl_cipher_suites
- Set an array of ciphers, in IANA format, for all Java-based services: PuppetDB, Puppet Server, console services, and the orchestrator.
puppet_enterprise::ssl_cipher_suites_non_java
- Set an array of ciphers, in OpenSSL format, for all non-Java services: Bolt Server, ACE Server, PostgreSQL.
puppet_enterprise::ssl_cipher_suites_browser
- Set an array of ciphers, in OpenSSL format, accepted by the PE console in the browser (NGINX).
Configure SSL protocols
Add or remove SSL protocols in your PE infrastructure.
To change what SSL protocols your PE infrastructure uses, use Hiera or the console to add or remove protocols.
Use the parameter puppet_enterprise::master::puppetserver::ssl_protocols
and add an array for protocols you want to include, or remove protocols you no longer
want to use.
puppet_enterprise::master::puppetserver::ssl_protocols: ["TLSv1.3", "TLSv1.2"]
Copied!
Configure RBAC and token-based authentication settings
Tune RBAC and token-based authentication settings, like setting the number of failed attempts a user has before they are locked out of the console or changing the amount of time a token is valid for.
puppet_enterprise::profile::console::rbac_failed_attempts_lockout
- An integer specifying how many failed login attempts are allowed on an account before the account is revoked. The default is "10" (attempts).
puppet_enterprise::profile::console::rbac_password_reset_expiration
- An integer representing, in hours, how long a user's generated token is valid for. An administrator generates this token for a user to that they can reset their password. The default is "24" (hours).
puppet_enterprise::profile::console::rbac_session_timeout
- Integer representing, in minutes, how long a user's session can last. The session length is the same for node classification, RBAC, and the console. The default is "60" (minutes).
puppet_enterprise::profile::console::rbac_token_auth_lifetime
- A value representing the default authentication lifetime for a token. It
cannot exceed the
rbac_token_maximum_lifetime
. This is represented as a numeric value followed by "y" (years), "d" (days), "h" (hours), "m" (minutes), or "s" (seconds). The default is "1h". puppet_enterprise::profile::console::rbac_token_maximum_lifetime
- A value representing the maximum allowable lifetime for all tokens. This is represented as a numeric value followed by "y" (years), "d" (days), "h" (hours), "m" (minutes), or "s" (seconds). The default is "10y".
puppet_enterprise::profile::console::rbac_account_expiry_check_minutes
- An integer that specifies, in minutes, how often the application checks for idle user accounts. The default value is "60" (minutes).
puppet_enterprise::profile::console::rbac_account_expiry_days
- An integer that specifies, in days, the duration before an inactive user account expires. The default is undefined. To activate the feature, add a value of "1" or greater.
RBAC database configuration
Credential information for the RBAC service is stored in a PostgreSQL database.
The configuration information for that database is found in the 'rbac-database' section of the config.
For example:
rbac-database: {
classname: org.postgresql.Driver
subprotocol: postgresql
subname: "//<path-to-host>:5432/perbac"
user: <username here>
password: <password here>
}
Copied!
classname
Used by the RBAC service for connecting to the database; this option should always be
org.postgresql.Driver
.
subprotocol
Used by the RBAC service for connecting to the database; this options should always
be postgresql
.
subname
JDBC connection path used by the RBAC service for connecting to the database. This
should be set to the hostname and configured port of the PostgreSQL database.
perbac
is the database the RBAC service uses to store
credentials.
user
This is the username the RBAC service should use to connect to the PostgreSQL database.
password
This is the password the RBAC service should use to connect to the PostgreSQL database.
Configure the password algorithm
PE uses SHA-256 as a default password algorithm, but you can change the algorithm to argon2id by editing or adding password algorithm parameters using the console or Hiera. Before changing your password algorithm to argon2id, review argon2 specifications.
puppet_enterprise::profile::console::password_algorithm
- String. One of either
SHA-256
orARGON2ID
puppet_enterprise::profile::console::password_hash_output_size
- Integer. The desired hash output size, in bytes. This is required when configuring argon2id only.
puppet_enterprise::profile::console::password_algorithm_parallelism
- Integer. The number of parallel computations to do at once. This is required when configuring argon2id only.
puppet_enterprise::profile::console::password_algorithm_memory_in_kb
- Integer. The amount of memory the algorithm consumes when running, in kb. This value is required when configuring argon2id only. To start, we recommend setting it to 25% of your CPU memory.
puppet_enterprise::profile::console::number_of_iterations
- Integer. The number of times a password is hashed before it’s stored. We
recommend you update this value when switching from SHA-256 to argon2id.The
minimum recommended value for argon2id is
3
(iterations). puppet_enterprise::profile::console::password_salt_size_bytes
- Integer. The size of each generated salt, in bytes.
Add a custom HSTS header to NGINX
An HTTP Strict Transport Security response header (HSTS) is a security header that blocks access to non-HTTPS content, preventing the browser from being exploited by man-in-the-middle attacks. HSTS headers do not allow the use of self-signed certificates, so if you want to enable an HSTS header, you must first add a custom certificate with a trusted CA to the console. Then, use a custom NGINX module to define and manage the header content.