Enabling TLS-secure listeners

Define security profiles in EAServer using Security Manager. Associate the profile with a server listener and determine the SSL characteristics of the listener. The profile is used on the client side to set the SSL connection parameters. Follow the same procedures to assign a profile containing TLS characteristics to a listener. A profile has a security characteristic, which is a combination of the following properties:

SSL or TLS cipher suite

Authentication mode – server only, mutual, or none

Table 9-1 displays a list of the security characteristics and cipher suites used to support TLS. A profile that includes _mutual_auth specifies:

For a client – the client wants to authenticate to the server, or

For a server – the client’s certificate is necessary.

Table 9-1 lists the name, the level of authentication, and the supported cipher suites for each TLS security characteristic.

**Table 9-1: TLS-supported cipher suites**
Name of characteristic	Authenticates	Cipher suites in decreasing order of preference/strength
sybpks_strong_tls	server	TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5
sybpks_strong_mutual_auth_tls	client/server	Same as sybpks_strong_tls
sybpks_domestic_tls	server	TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
sybpks_domestic_tls_mutual_auth	client/server	Same as sybpks_domestic_tls
sybpks_intl_tls	server	TLS_RSA_EXPORT_WITH_RC4_40_MD4 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_WITH_NULL_MD5
sybpks_intl_mutual_auth_tls	client/server	Same as sybpks_intl_tls
sybpks_simple_tls	server	TLS_RSA_WITH_NULL_MD5
sybpks_simple_tls_mutual_auth	client/server	Same as sybpks_simple_tls
*sybpks_<ciphersuite>* Valid cipher suites are: sybpks_tls_rsa_with_3des_ede_cbc_sha sybpks_tls_rsa_with_aes_256_cbc_sha sybpks_tls_rsa_with_aes_128_cbc_sha sybpks_tls_rsa_with_des_cbc_sha sybpks_tls_rsa_with_rc4_128_sha sybpks_tls_rsa_export_with_rc4_40_md5 sybpks_ssl_rsa_with_3des_ede_cbc_sha sybpks_ssl_rsa_with_rc4_128_sha	server	This is a new special characteristic. One cipher suite can be listed in the string. For example, sybpks_SSL_RSA_WITH_3DES_EDE_CBC_SHA selects only one cipher suite. SSL_ implies SSLv3 and v2.
*sybpks_<ciphersuite>_mutual_auth*	client/server	Same as *sybpks_<ciphersuite>*. For example: sybpks_ssl_rsa_with_3des_ede_cbc_sha_mutual_auth

Table 9-1: TLS-supported cipher suites

Name of characteristic

Authenticates

Cipher suites in decreasing order of preference/strength

sybpks_strong_tls

server

TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5

sybpks_strong_mutual_auth_tls

client/server

Same as sybpks_strong_tls

sybpks_domestic_tls

server

TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA

sybpks_domestic_tls_mutual_auth

client/server

Same as sybpks_domestic_tls

sybpks_intl_tls

server

TLS_RSA_EXPORT_WITH_RC4_40_MD4 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_WITH_NULL_MD5

sybpks_intl_mutual_auth_tls

client/server

Same as sybpks_intl_tls

sybpks_simple_tls

server

TLS_RSA_WITH_NULL_MD5

sybpks_simple_tls_mutual_auth

client/server

Same as sybpks_simple_tls

sybpks_<ciphersuite>

Valid cipher suites are:

sybpks_tls_rsa_with_3des_ede_cbc_sha

sybpks_tls_rsa_with_aes_256_cbc_sha

sybpks_tls_rsa_with_aes_128_cbc_sha

sybpks_tls_rsa_with_des_cbc_sha

sybpks_tls_rsa_with_rc4_128_sha

sybpks_tls_rsa_export_with_rc4_40_md5

sybpks_ssl_rsa_with_3des_ede_cbc_sha

sybpks_ssl_rsa_with_rc4_128_sha

server

This is a new special characteristic. One cipher suite can be listed in the string. For example, sybpks_SSL_RSA_WITH_3DES_EDE_CBC_SHA selects only one cipher suite.

SSL_ implies SSLv3 and v2.

sybpks_<ciphersuite>_mutual_auth

client/server

Same as sybpks_<ciphersuite>. For example:

sybpks_ssl_rsa_with_3des_ede_cbc_sha_mutual_auth

Table 9-2 lists the name, level of authentication, and the FIPS-supported cipher suites for each TLS security characteristic. These cipher suites are enabled when a server or client is operating in a FIPS 140-2 mode; they are a subset of the characteristics listed in Table 9-1.

When EAServer or a client is operating in a FIPS-compliant mode, only the TLS protocol should be used. FIPS 140-2 has an approved list of algorithms. Due to this requirement, not all cipher suites are available while operating in a FIPS mode.

**Table 9-2: FIPS-supported cipher suites**
Name of characteristic	Authenticates	Cipher suites in decreasing order of preference/strength
sybpks_strong_tls	server	TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA
sybpks_strong_mutual_auth_tls	client/server	TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA
sybpks_domestic_tls	server	TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA
sybpks_domestic_tls_mutual_auth	client/server	Same as sybpks_domestic_tls plus mutual authentication
*sybpks_<ciphersuite>* Valid FIPS supported cipher suites are: sybpks_tls_rsa_with_3des_ede_cbc_sha sybpks_tls_rsa_with_aes_256_cbc_sha sybpks_tls_rsa_with_aes_128_cbc_sha sybpks_tls_rsa_with_des_cbc_sha	server	This is a new special characteristic. One cipher suite can be listed in the string. For example, sybpks_TLS_RSA_WITH_3DES_EDE_CBC_SHA selects only one ciphersuite. SSL_ implies SSLv3 and v2.
*sybpks_<ciphersuite>_mutual_auth*	client/server	Same as *sybpks_<ciphersuite>*. For example: sybpks_tls_rsa_with_des_cbc_sha_mutual_auth

Table 9-2: FIPS-supported cipher suites

Name of characteristic

Authenticates

Cipher suites in decreasing order of preference/strength

sybpks_strong_tls

server

TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA

sybpks_strong_mutual_auth_tls

client/server

TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA

sybpks_domestic_tls

server

TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA

sybpks_domestic_tls_mutual_auth

client/server

Same as sybpks_domestic_tls plus mutual authentication

sybpks_<ciphersuite>

Valid FIPS supported cipher suites are:

sybpks_tls_rsa_with_3des_ede_cbc_sha

sybpks_tls_rsa_with_aes_256_cbc_sha

sybpks_tls_rsa_with_aes_128_cbc_sha

sybpks_tls_rsa_with_des_cbc_sha

server

This is a new special characteristic. One cipher suite can be listed in the string. For example, sybpks_TLS_RSA_WITH_3DES_EDE_CBC_SHA selects only one ciphersuite.

SSL_ implies SSLv3 and v2.

sybpks_<ciphersuite>_mutual_auth

client/server

Same as sybpks_<ciphersuite>. For example:

sybpks_tls_rsa_with_des_cbc_sha_mutual_auth

Existing security profiles (sbpks_simple, sybpks_intl, sybpks_domestic, sybpks_strong), have been modified to accept TLS and SSL. This allows:

pre-5.2 clients to connect to EAServer version 5.2 and greater using SSLv3
5.2 and greater clients to connect to EAServer version 5.2 and greater using FIPS and TLS
5.2 and greater clients connecting to a pre-5.2 EAServer installation (or a 5.2 or greater installation that has FIPS disabled) to connect using SSL

Existing client applications continue to work without any change to SSL settings. However, to use only the TLS protocol in your applications, use the new security profiles that support TLS. See Table 9-1.

By default, FIPS mode is disabled. To enable FIPS, see “Enabling FIPS,” below.