asc policy

Use this command to manage CloudControl policies.

Syntax

asc policy [options]

Option

Description

-C, --copies

Set the number of copies to keep for the specified log. Requires --log.

-g, --getcipher

Get the current SSL Cipher and SSL Protocol string.

--getpurge

Displays the current number of days to keep history and policy history data before purging.

-h, --help

Display usage text.

-j, --job <days>

 Delete job history data older than the specified number of days. The value for <days> must be an integer greater than 7.

-l, --log

Change the log rotation policy for the specified log. Requires the log name and the number of copies as an argument.

-o, --object-hiding {true|false}

Enable (true) or disable (false) the restricting visibility feature. For more information, see Restricting Visibility .

This is enabled by default.

-p, --purge <days>

Delete policy data older than the specified number of days. The value for <days> must be an integer greater than 7.

-r, --refreshsco {true|false}

Enable (true) or disable (false) automatically refreshing the inventory data after Structure Changing Operations (SCO) are authorized.

--setpurge <days> 

Sets the number of days to keep data before purging. All job history and policy history data older than the days set will be purged.

The default value is 90 days.

-s, --status

Display whether Structure Changing Operations (SCO) are authorized.

-t, --setprotocol

Set the SSL Protocol string. Use + to include and - to remove protocols.

This can be one of the following: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, or all.

Your settings will persist during a reboot of CloudControl, but not during a failover event. In an HA environment, you must run this command against both the primary and the secondary nodes for the settings to persist across nodes.

Important: Running this command requires CloudControl to restart.

-w, --setcipher

Set the SSL cipher string. Use colons to separate the cipher strings. Use + to move ciphers to the end of the list, - to delete ciphers from the list, and ! to permanently delete the ciphers.

Your settings will persist during a reboot of CloudControl, but not during a failover event. In an HA environment, you must run this command against both the primary and the secondary nodes for the settings to persist.

Note: The cipher must be an existing openssl cipher.
Important: Running this command requires CloudControl to restart.

Examples

List the current SCO policy settings:

asc policy -s

Disable Structure Changing Operation (SCO) automatic refresh:

asc policy -r false

Enable Structure Changing Operation (SCO) automatic refresh:

asc policy -r true

Set the purge interval to delete all data more than 10 days old:

asc policy --setpurge 10

Disable the restricting visibility feature:

asc policy --object-hiding false

Change the log rotation policy to 20 copies and save to the ASC log file:

asc policy --log asc --copies 20

View your existing ciphers and protocols:

asc policy --getcipher

Set the OpenSSL cipher string for TLS to comply with FIPS restrictions: 

asc policy --setcipher 'TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL'
The following ciphers will be allowed:
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA256
ECDH-RSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-GCM-SHA384
ECDH-RSA-AES256-SHA384
ECDH-ECDSA-AES256-SHA384
AES256-GCM-SHA384
AES256-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-DSS-AES128-SHA256
ECDH-RSA-AES128-GCM-SHA256
ECDH-ECDSA-AES128-GCM-SHA256
ECDH-RSA-AES128-SHA256
ECDH-ECDSA-AES128-SHA256
AES128-GCM-SHA256
AES128-SHA256
AES256-SHA
AES128-SHA
DES-CBC3-SHA
Setting the SSL cipher suite string will interrupt production services.
Set SSL Cipher Suite? yes
Production services restarted. Please Wait.
Success: Policy management completed

Set the SSL Protocol string to allow disable all TLS modes except for TLS 1.2:

Note: You should run this with the asc policy --setcipher 'TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL' command. 
asc policy -t '-TLSv1 -TLSv1.1 +TLSv1.2'
Setting the SSL Protocol String will interrupt production services.
Do you want to set the SSL Protocol String? yes
Production services restarted. Please Wait.
Success: Policy management completed

 

HyTrust CloudControl v 5.5

Copyright © 2019 HyTrust, Inc. All Rights Reserved.

Follow us: