Configure security settings
Configure these security settings to ensure your Puppet Enterprise (PE) environment is secure.
Configure cipher suites
Regulatory compliance or other security requirements might require you to change the cipher suites your SSL-enabled PE services use to communicate with other PE components.
To add or remove cipher suites for different service types, use Hiera to modify the following parameters:
puppet_enterprise::ssl_cipher_suites
- List IANA-formatted ciphers for all PE Java-based services, which includes PuppetDB, Puppet Server, console services, and the orchestrator.
puppet_enterprise::ssl_cipher_suites_non_java
- List OpenSSL-formatted ciphers for all PE non-Java services, which includes Bolt Server, ACE Server, and PostgreSQL.
puppet_enterprise::ssl_cipher_suites_browser
- List OpenSSL-formatted ciphers for NGINX. These ciphers are accepted by the PE console in the browser.
Configure SSL protocols
You can change what SSL protocols your Puppet Enterprise (PE) infrastructure uses.
- Where to configure
- In Hiera data files.
- Parameter
puppet_enterprise::master::puppetserver::ssl_protocols
- Format
- Array of strings representing SSL protocols.
- Example
- This declaration enables TSLv1.3 and
TSLv1.2:
puppet_enterprise::master::puppetserver::ssl_protocols: ["TLSv1.3", "TLSv1.2"]
- Default
-
["TLSv1.3", "TLSv1.2"]
Note: To comply with security regulations, only versions 1.2 and 1.3 of the Transport Layer Security (TLS) protocol are enabled. If necessary, you can manually enable TLSv1 and TSLv1.1.
Configure RBAC and token-based authentication settings
You can configure RBAC and token-based authentication settings, such as setting the number of failed attempts a user has before they are locked out of the console or the amount of time tokens are valid.
puppet_enterprise::profile::console::rbac_failed_attempts_lockout
- An integer specifying how many failed login attempts are allowed on an account before the account is revoked.
puppet_enterprise::profile::console::rbac_password_reset_expiration
- An integer representing the number of hours that password reset tokens are valid.
puppet_enterprise::profile::console::rbac_session_timeout
- An integer representing, in minutes, how long a user's session can last.
puppet_enterprise::profile::console::rbac_token_auth_lifetime
- A string representing the default authentication lifetime for a token.
puppet_enterprise::profile::console::rbac_token_maximum_lifetime
- A string representing the maximum allowable lifetime for all tokens.
puppet_enterprise::profile::console::rbac_account_expiry_check_minutes
- An integer specifying, in minutes, how often the application checks for idle user accounts.
puppet_enterprise::profile::console::rbac_account_expiry_days
- An integer specifying, in days, the duration before an inactive user account expires.
puppet_enterprise::profile::console::ldap_sync_period_seconds
- An integer specifying, in seconds, the interval at which LDAP group membership associations are synchronized.
RBAC database configuration
Credential information for the RBAC service is stored in a PostgreSQL database. Configuration information for this
database is in the rbac-database
section of the config
file.
rbac-database: {
classname: org.postgresql.Driver
subprotocol: postgresql
subname: "//<PATH_TO_HOST>:5432/perbac"
user: <USERNAME>
password: <PASSWORD>
}
classname
- Used by the RBAC service for connecting to the database.
subprotocol
- Used by the RBAC service for connecting to the database.
subname
- The JDBC connection path used by the RBAC service for connecting to the database.
user
- This is the username the RBAC service uses to connect to the PostgreSQL database.
password
- This is the password the RBAC service uses to connect to the PostgreSQL database.
Configure the password algorithm
Puppet Enterprise (PE) uses SHA-256 as a default password algorithm. You can use Hiera or the PE console to change the algorithm to argon2id by editing or adding password algorithm parameters.
puppet_enterprise::profile::console::password_algorithm
- A string, either
"SHA-256"
or"ARGON2ID"
. puppet_enterprise::profile::console::password_hash_output_size
- An integer representing the desired hash output size in bytes.
puppet_enterprise::profile::console::password_algorithm_parallelism
- An integer representing the number of parallel computations that can be performed at once.
puppet_enterprise::profile::console::password_algorithm_memory_in_kb
- An integer representing the amount of memory, in KB, the algorithm consumes when running.
puppet_enterprise::profile::console::number_of_iterations
- An integer representing the number of times a password is hashed before it’s stored.
puppet_enterprise::profile::console::password_salt_size_bytes
- An integer representing the size, in bytes, of each generated salt.
Security warnings due to missing HSTS response headers
Puppet Enterprise (PE) does not implement HTTP Strict Transport Security (HSTS) in response headers because the ports used by PE are not open to the internet. However, your security system might flag HSTS response headers as missing and deliver a warning that PE service ports are vulnerable. If this happens, consider adjusting your security software configuration to add an exception for PE ports.
About HSTS
HSTS is designed to protect sites against man-in-the-middle attacks. When HSTS is enabled, an HSTS response header forces user agents and browsers to use HTTPS for loading site content.
Why HSTS is not required for PE
HSTS is not required for PE because none of the ports used by PE are open to the internet.
Adding exceptions for PE ports
If your security system flags a vulnerability due to missing HSTS headers in PE service ports, consider adjusting your security software configuration to add an exception for PE ports.
Typically, an exception is required only for port 443, which is used for PE console services. Port 443 is available to PE users, only within an internal network. To prevent attacks, the console service allows only secure, domain-bound cookies and HTTPS traffic. Mixed content (a combination of HTTP and HTTPS content) is not allowed.
To learn more about PE ports, see Firewall configuration.