There are numerous security features available to Agentry applications. In general, these security features are organized into two categories. First are those built into the platform and that may require configuration during implementation. Second are those that are a part of the application deployed on Agentry and are a part of the application definitions and components. The security features built into the Agentry platform are discussed in this section.
When installing the Agentry Clients, the installation wizard provides an option to create either an encrypted or a non-encrypted Client. This option refers to how data is stored on the client device. An encrypted client encrypts all production data stored on the client device. The Client also encrypts all application data.
If an encrypted Client is installed, there are additional items related to users that are addressed during the installation. If devices are shared among multiple users, and a user change occurs, all production and application data stored on the client device is discarded. Encryption of application and production data is based on the user’s login information. When the user login changes, the previous data cannot be decrypted. This can cause an issue if the previous user’s production data includes pending transactions (those not yet transmitted to the Server). If the pending transactions are not transmitted prior to changing users, they are discarded and any data captured by these transactions is lost. If pending transactions exist, a warning message is displayed when a new user logs into the Client and prior to the removal of the transactions.
Since all application data is also removed, a new user of a Client must perform a transmit to retrieve all application and production data, similar to an initial transmit. Therefore, it is recommended that devices running encrypted Agentry Clients are not shared unless necessary.
Since the release of Agentry version 4.4, a secure communications protocol is available called the Agentry Next Generation Encryption Layer, or ANGEL. The ANGEL protocol uses SSL/TLS over TCP/IP communications to encrypt all data synchronized between the Clients and the Server.
The ANGEL protocol is selected as the connect type for a transmit configuration definition within the application. As of Agentry version 4.4, this is the default connect type for all transmit configuration definitions.
The encryption strength supported is up to 512 bit encryption. By default, the actual encryption strength between any given Client and the Server may be less than this, as certain older devices do not support these key lengths. In this default configuration, the Server negotiates with a Client to determine the maximum supported encryption strength of the device. It is possible to alter this behavior by setting both minimum and maximum encryption strengths that the Server allows. In this case, Clients not able to support the configured minimum are not allowed to connect with the Server.
The passwords entered by users during login to the Agentry Clients are encrypted based on an encryption key received from the Agentry Server. This key is the public key portion of a public-private key pairing generated by the Server. Because of this, Clients are tied to that Server after an initial transmit. It is possible to export a Server’s encryption key and import it to other Servers, should Clients need to connect to more than one, as in clustered environments.
This encryption protects user passwords entered on Clients. The password value is stored and transmitted in encrypted form. It is decrypted by the Server when a Client connects and when read in by the Client during user login. In both cases, the decrypted value is not stored permanently and is used only for validation of the user.
When using the ANGEL connect type, both the Agentry Server and the Agentry Clients can be configured to require authentication prior to commencing synchronization. In most cases, the Server authentication is implemented. Client authentication is implemented less often, but is still fully supported.
The Server uses the self-signed certificate AgentryServer.pfx, which is installed with the Server. The Clients contain the certificate file AgentryTrustedCertificates.sst, which is installed by default. This certificate directs the Server to use the Microsoft Enhanced Cryptographic Provider for the SSL/TLS secure communications provided with the ANGEL connection type. It is important to note that the AgentryServer.pfx certificate is not considered an authentication certificate, and is not generated by a certificate authority.
You can obtain a certificate from a certificate authority and install it to the Server or Client for both Server authentication and Client authentication. These certificates are then stored on the Client devices or host system for the Server, with the corresponding trusted certificate entries placed on the counterpart system.