Security profiles define the security characteristics of a client-EAServer session. You assign a security profile to a listener, which is a port that accepts client connection requests of various protocols. EAServer can support multiple listeners. Clients that support the same characteristics can communicate to EAServer via the port defined in the listener.
Each security profile has an associated security characteristic. A security characteristic is a name that has a set of cipher suites associated with it. A security characteristic, along with the cipher suites, defines these characteristics of a client/server connection:
Protocol All profiles use SSL version 3 as the underlying protocol. IIOPS and HTTPS traffic is tunneled through SSL.
Authentication Whether or not authentication is used. Profiles can support:
No authentication – neither client nor server need to provide a certificate for authentication.
Server authentication – only the server needs to provide a certificate to be accepted or rejected by the client.
Client and server authentication – both the client and server supply certificates to be accepted or rejected by the other.
Encryption strength and method Whether or not data is encrypted, and if so, the key strength and method of the encryption.
International use All cipher suites are available domestically, but not all are suitable for export outside of the United States and Canada.
Hashing method The method used to create the message digest.
For example, the cipher suite SSL_RSA_WITH_NULL_MD5 can be interpreted as:
SSL – the protocol used. All profiles use SSL.
RSA – the key exchange algorithm used.
NULL – no encryption.
MD5 – the hash method used to compute the message digest.
Table 13-1 and Table 13-2 clarify the relationship between cipher suite terminology and security characteristics.
Name |
Defines |
Description |
|---|---|---|
SSL |
Protocol |
SSL protocol uses public-key encryption to establish secure Internet communications. |
RSA DH_anon |
Key exchange algorithm |
RSA and DH (Diffie-Hellman) are public-key cryptography systems, which define both authentication and encryption:
|
EXPORT |
Suitable for export |
Because of export regulations, some CipherSuites are not suitable for export. Only CipherSuites that contain the word EXPORT are suitable for international use. |
NULL |
No encryption |
Data is not encrypted. |
DES 3DES DES40 RC4_40 RC4_128 |
Encryption algorithms |
System: Key length: DES 56 3DES 168 DES40 40 RC4_40 40 RC4_128 128 The greater the key length, the greater the encryption strength. |
EDE CBC |
Encryption and decryption modes |
CBC and EDE are modes by which DES algorithms are encrypted and decrypted. |
SHA MD5 |
Hash function |
SHA and MD5 are hash methods used to compute the message digest when generating a digital signature. |
Browsers do not support anonymous cipher suites.
