Define security profiles in EAServer using Security Manager. Associate the profile with a server listener and determine the SSL characteristics of the listener. The profile is used on the client side to set the SSL connection parameters. Follow the same procedures to assign a profile containing TLS characteristics to a listener. A profile has a security characteristic, which is a combination of the following properties:
SSL or TLS cipher suite
Authentication mode – server only, mutual, or none
Table 9-1 displays a list of the security characteristics and cipher suites used to support TLS. A profile that includes _mutual_auth specifies:
For a client – the client wants to authenticate to the server, or
For a server – the client’s certificate is necessary.
Table 9-1 lists the name, the level of authentication, and the supported cipher suites for each TLS security characteristic.
Name of characteristic |
Authenticates |
Cipher suites in decreasing order of preference/strength |
|---|---|---|
sybpks_strong_tls |
server |
TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 |
sybpks_strong_mutual_auth_tls |
client/server |
Same as sybpks_strong_tls |
sybpks_domestic_tls |
server |
TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA |
sybpks_domestic_tls_mutual_auth |
client/server |
Same as sybpks_domestic_tls |
sybpks_intl_tls |
server |
TLS_RSA_EXPORT_WITH_RC4_40_MD4 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_WITH_NULL_MD5 |
sybpks_intl_mutual_auth_tls |
client/server |
Same as sybpks_intl_tls |
sybpks_simple_tls |
server |
TLS_RSA_WITH_NULL_MD5 |
sybpks_simple_tls_mutual_auth |
client/server |
Same as sybpks_simple_tls |
sybpks_<ciphersuite> Valid cipher suites are: sybpks_tls_rsa_with_3des_ede_cbc_sha sybpks_tls_rsa_with_aes_256_cbc_sha sybpks_tls_rsa_with_aes_128_cbc_sha sybpks_tls_rsa_with_des_cbc_sha sybpks_tls_rsa_with_rc4_128_sha sybpks_tls_rsa_export_with_rc4_40_md5 sybpks_ssl_rsa_with_3des_ede_cbc_sha sybpks_ssl_rsa_with_rc4_128_sha |
server |
This is a new special characteristic. One cipher suite can be listed in the string. For example, sybpks_SSL_RSA_WITH_3DES_EDE_CBC_SHA selects only one cipher suite.
|
sybpks_<ciphersuite>_mutual_auth |
client/server |
Same as sybpks_<ciphersuite>. For example: sybpks_ssl_rsa_with_3des_ede_cbc_sha_mutual_auth |
Table 9-2 lists the name, level of authentication, and the FIPS-supported cipher suites for each TLS security characteristic. These cipher suites are enabled when a server or client is operating in a FIPS 140-2 mode; they are a subset of the characteristics listed in Table 9-1.
When EAServer or a client is operating in a FIPS-compliant mode, only the TLS protocol should be used. FIPS 140-2 has an approved list of algorithms. Due to this requirement, not all cipher suites are available while operating in a FIPS mode.
Name of characteristic |
Authenticates |
Cipher suites in decreasing order of preference/strength |
|---|---|---|
sybpks_strong_tls |
server |
TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA |
sybpks_strong_mutual_auth_tls |
client/server |
TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA |
sybpks_domestic_tls |
server |
TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA |
sybpks_domestic_tls_mutual_auth |
client/server |
Same as sybpks_domestic_tls plus mutual authentication |
sybpks_<ciphersuite> Valid FIPS supported cipher suites are: sybpks_tls_rsa_with_3des_ede_cbc_sha sybpks_tls_rsa_with_aes_256_cbc_sha sybpks_tls_rsa_with_aes_128_cbc_sha sybpks_tls_rsa_with_des_cbc_sha |
server |
This is a new special characteristic. One cipher suite can be listed in the string. For example, sybpks_TLS_RSA_WITH_3DES_EDE_CBC_SHA selects only one ciphersuite.
|
sybpks_<ciphersuite>_mutual_auth |
client/server |
Same as sybpks_<ciphersuite>. For example: sybpks_tls_rsa_with_des_cbc_sha_mutual_auth |
Existing security profiles (sbpks_simple, sybpks_intl, sybpks_domestic, sybpks_strong),
have been modified to accept TLS and SSL. This allows:
pre-5.2 clients to connect to EAServer version 5.2 and greater using SSLv3
5.2 and greater clients to connect to EAServer version 5.2 and greater using FIPS and TLS
5.2 and greater clients connecting to a pre-5.2 EAServer installation (or a 5.2 or greater installation that has FIPS disabled) to connect using SSL
Existing client applications continue to work without any change to SSL settings. However, to use only the TLS protocol in your applications, use the new security profiles that support TLS. See Table 9-1.
By default, FIPS mode is disabled. To enable FIPS, see “Enabling FIPS,” below.
