Define security profiles in EAServer using the Sybase Management Console. Associate the profile with a server listener and determine the SSL characteristics of the listener. The profile is used on the client side to set the SSL connection parameters. Follow the same procedures to assign a profile containing TLS characteristics to a listener. A profile has a security characteristic, which is a combination of the following properties:
SSL or TLS cipher suite
Authentication mode – server only, mutual, or none
Table 6-1 displays a list of the security characteristics and cipher suites used to support TLS. A characteristic that includes _mutual_ specifies:
For a client – the client wants to authenticate to the server, or
For a server – the client’s certificate is necessary.
Table 6-1 lists the name, the level of authentication, the supported cipher suites for each TLS security characteristic, and if it supports FIPS.
FIPS-supported cipher suites for each TLS security characteristic are enabled when a server or client is operating in a FIPS 140-2 mode.
When EAServer or a client is operating in a FIPS-compliant mode, only the TLS protocol should be used. FIPS 140-2 has an approved list of algorithms. Due to this requirement, not all cipher suites are available while operating in a FIPS mode.
Modifying security profile
properties
From the Web Management Console, expand the Security folder.
Expand the Profiles folder.
Highlight the security profile whose properties you want to modify. The General Properties pane appears, from which you can define or modify these general profile properties:
Certificate Label – the name of the certificate label for this profile. The certificate label identifies the certificate used for authentication.
Security Characteristic – select a security characteristic to use for the security profile from the drop-down list. The characteristic defines the required level of security, including authentication. Table 6-1 lists the characteristics, cipher suite support, and authentication level.
Name of characteristic |
Authenticates |
Cipher suites |
Supports FIPS? |
|---|---|---|---|
domestic |
server |
RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA RSA_WITH_DES_CBC_SHA RSA_EXPORT_WITH_RC4_40_MD5 RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_NULL_SHA |
Yes |
domestic_anon_tls |
neither |
DH_anon_WITH_3DES_EDE_CBC_SHA DH_anon_WITH_RC4_128_MD5 DH_anon_WITH_DES_CBC_SHA DH_anon_EXPORT_WITH_RC4_40_MD5 DH_anon_EXPORT_WITH_DES40_CBC_SHA The _anon profiles are used for anonymous Diffie-Hellman communications. Neither the client nor the server is authenticated. |
No |
domestic_mutual |
client/server |
RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA RSA_WITH_DES_CBC_SHA RSA_EXPORT_WITH_RC4_40_MD5 RSA_EXPORT_WITH_DES40_CBC_SHA RSA_WITH_NULL_MD5 RSA_WITH_NULL_SHA |
Yes |
domestic_mutual_tls |
client/server |
RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA RSA_WITH_DES_CBC_SHA RSA_EXPORT_WITH_RC4_40_MD5 RSA_EXPORT_WITH_DES40_CBC_SHA RSA_WITH_NULL_MD5 RSA_WITH_NULL_SHA |
Yes |
domestic_tls |
server |
RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA RSA_WITH_DES_CBC_SHA RSA_EXPORT_WITH_RC4_40_MD5 RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_NULL_SHA |
Yes |
intl_mutual_tls |
client/server |
RSA_EXPORT_WITH_RC4_40_MD5 RSA_EXPORT_WITH_DES40_CBC_SHA |
No |
intl_tls |
server |
RSA_EXPORT_WITH_RC4_40_MD5 RSA_EXPORT_WITH_DES40_CBC_SHA |
No |
simple_tls |
server |
RSA_WITH_NULL_MD5 RSA_WITH_NULL_SHA |
No |
simple_mutual_tls |
client/server |
RSA_WITH_NULL_MD5 RSA_WITH_NULL_SHA |
No |
strong |
server |
RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA |
Yes |
strong_mutual |
client/server |
RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA |
Yes |
strong_tls |
server |
RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA |
Yes |
strong_mutual_tls |
client/server |
RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA |
Yes |
tls_rsa_with_3des_ede_cbc_sha |
server |
rsa_with_3des_ede_cbc_sha |
Yes |
tls_rsa_with_3des_ede_cbc_sha_mutual |
client/server |
rsa_with_3des_ede_cbc_sha |
Yes |
tls_rsa_with_aes_256_cbc_sha |
server |
rsa_with_aes_256_cbc_sha |
Yes |
tls_rsa_with_aes_256_cbc_sha_mutual |
client/server |
rsa_with_aes_256_cbc_sha |
Yes |
tls_rsa_with_aes_128_cbc_sha |
server |
rsa_with_aes_128_cbc_sha |
Yes |
tls_rsa_with_aes_128_cbc_sha_mutual |
client/server |
rsa_with_aes_128_cbc_sha |
Yes |
tls_rsa_with_des_cbc_sha |
server |
rsa_with_des_cbc_sha |
Yes |
tls_rsa_with_des_cbc_sha_mutual |
client/server |
rsa_with_des_cbc_sha |
Yes |
tls_rsa_with_rc4_128_sha |
server |
rsa_with_rc4_128_sha |
Yes |
tls_rsa_with_rc4_128_sha_mutual |
client/server |
rsa_with_rc4_128_sha |
Yes |
tls_rsa_export_with_rc4_40_md5 |
server |
rsa_export_with_rc4_40_md5 |
No |
tls_rsa_export_with_rc4_40_md5_mutual |
client/server |
rsa_export_with_rc4_40_md5 |
No |
