This section describes how to add security profiles to a domain. See Chapter 6, “Using TLS and FIPS” for information about FIPS/TLS security profiles.
EAServer contains two predefined security profiles;
sample1, which features the domestic security characteristic, and
sample2, which features the domestic_mutual security characteristic.
Security profiles define the security characteristics of a client-EAServer session. Assign a security profile to a listener, which is a port that accepts client connection requests of various protocols. EAServer can support multiple listeners. Clients that support the same characteristics can communicate to EAServer via the port defined in the listener.
Each security profile has an associated security characteristic. A security characteristic is a name that has a set of cipher suites associated with it. A security characteristic, along with the cipher suites, defines these characteristics of a client/server connection:
Protocol All profiles use SSL version 3 as the underlying protocol. IIOPS and HTTPS traffic is tunneled through SSL.
Authentication Whether or not authentication is used. Profiles can support:
No authentication – neither client nor server need to provide a certificate for authentication.
Server authentication – only the server must provide a certificate to be accepted or rejected by the client.
Client and server authentication – both the client and server supply certificates to be accepted or rejected by the other.
Encryption strength and method Whether or not data is encrypted, and if so, the key strength and method of the encryption.
International use All cipher suites are available domestically, but not all are suitable for export outside of the United States and Canada.
Hashing method The method used to create the message digest.
For example, the cipher suite SSL_RSA_WITH_NULL_MD5 can be interpreted as:
SSL – the protocol used. All profiles use SSL.
RSA – the key exchange algorithm used.
NULL – no encryption.
MD5 – the hash method used to compute the message digest.
Table 10-3 and Table 10-4 clarify the relationship between cipher suite terminology and security characteristics.
Name |
Defines |
Description |
|---|---|---|
SSL |
Protocol |
SSL protocol uses public-key encryption to establish secure Internet communications. |
RSA DH_anon |
Key exchange algorithm |
RSA and DH (Diffie-Hellman) are public-key cryptography systems, which define both authentication and encryption:
|
EXPORT |
Suitable for export |
Because of export regulations, some cipher suites are not suitable for export. Only cipher suites that contain the word EXPORT are suitable for international use. |
NULL |
No encryption |
Data is not encrypted. |
DES 3DES DES40 RC4_40 RC4_128 |
Encryption algorithms |
System: Key length: DES 56 3DES 168 DES40 40 RC4_40 40 RC4_128 128 The greater the key length, the greater the encryption strength. |
EDE CBC |
Encryption and decryption modes |
CBC and EDE are modes by which DES algorithms are encrypted and decrypted. |
SHA MD5 |
Hash function |
SHA and MD5 are hash methods used to compute the message digest when generating a digital signature. |
Browsers do not support anonymous cipher suites.
From the Web Management Console, expand the Security folder.
Right-click the Profiles folder and select Add.
The New Security Profile wizard guides you through adding a new security profile. After you click Finish, define the security profile properties.
Modifying security profile properties
From the Web Management Console, expand the Security folder.
Expand the Profiles folder.
Highlight the security profile whose properties you want to modify. The General Properties pane appears, from which you can define or modify these general profile properties:
Certificate Label – the name of the certificate label for this profile. The certificate label identifies the certificate used for authentication:
For server and Java clients, certificate label corresponds to the name of the key entry retrieved by the keytool -list command.
For C++ clients, certificate label corresponds to the certificate names generated by the sc-tool -list command.
Security Characteristic – select a security characteristic to use for the security profile from the drop-down list. The characteristic defines the required level of security, including authentication. Table 10-4 lists the characteristics, cipher suite support, and authentication level.
Name of characteristic |
Authenticates |
Cipher suites |
|---|---|---|
domestic |
server |
RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA RSA_WITH_DES_CBC_SHA RSA_EXPORT_WITH_RC4_40_MD5 RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_NULL_SHA |
domestic_anon |
neither |
DH_anon_WITH_3DES_EDE_CBC_SHA DH_anon_WITH_RC4_128_MD5 DH_anon_WITH_DES_CBC_SHA DH_anon_EXPORT_WITH_RC4_40_MD5 DH_anon_EXPORT_WITH_DES40_CBC_SHA The _anon profiles are used for anonymous Diffie-Hellman communications. Neither the client nor the server is authenticated. |
domestic_anon_tls |
neither |
DH_anon_WITH_3DES_EDE_CBC_SHA DH_anon_WITH_RC4_128_MD5 DH_anon_WITH_DES_CBC_SHA DH_anon_EXPORT_WITH_RC4_40_MD5 DH_anon_EXPORT_WITH_DES40_CBC_SHA The _anon profiles are used for anonymous Diffie-Hellman communications. Neither the client nor the server is authenticated. |
domestic_mutual |
client/server |
RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA RSA_WITH_DES_CBC_SHA RSA_EXPORT_WITH_RC4_40_MD5 RSA_EXPORT_WITH_DES40_CBC_SHA RSA_WITH_NULL_MD5 RSA_WITH_NULL_SHA |
domestic_mutual_tls |
client/server |
RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA RSA_WITH_DES_CBC_SHA RSA_EXPORT_WITH_RC4_40_MD5 RSA_EXPORT_WITH_DES40_CBC_SHA RSA_WITH_NULL_MD5 RSA_WITH_NULL_SHA |
domestic_tls |
server |
RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA RSA_WITH_DES_CBC_SHA RSA_EXPORT_WITH_RC4_40_MD5 RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_NULL_SHA |
intl |
server |
RSA_EXPORT_WITH_RC4_40_MD5 RSA_EXPORT_WITH_DES40_CBC_SHA |
intl_mutual |
client/server |
RSA_EXPORT_WITH_RC4_40_MD5 RSA_EXPORT_WITH_DES40_CBC_SHA |
intl_mutual_tls |
client/server |
RSA_EXPORT_WITH_RC4_40_MD5 RSA_EXPORT_WITH_DES40_CBC_SHA |
intl_tls |
server |
RSA_EXPORT_WITH_RC4_40_MD5 RSA_EXPORT_WITH_DES40_CBC_SHA |
simple |
server |
RSA_WITH_NULL_MD5 RSA_WITH_NULL_SHA |
simple_mutual |
client/server |
RSA_WITH_NULL_MD5 RSA_WITH_NULL_SHA |
simple_tls |
server |
RSA_WITH_NULL_MD5 RSA_WITH_NULL_SHA |
simple_mutual_tls |
client/server |
RSA_WITH_NULL_MD5 RSA_WITH_NULL_SHA |
ssl_rsa_with_3des_ede_cbc_sha |
server |
rsa_with_3des_ede_cbc_sha |
ssl_rsa_with_3des_ede_cbc_sha_mutual |
client/server |
rsa_with_3des_ede_cbc_sha |
ssl_with_rc4_128_sha |
server |
rsa_with_rc4_128_sha |
ssl_with_rc4_128_sha_mutual |
client/server |
rsa_with_rc4_128_sha |
strong |
server |
RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA |
strong_mutual |
client/server |
RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA |
strong_tls |
server |
RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA |
strong_mutual_tls |
client/server |
RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA |
tls_rsa_with_3des_ede_cbc_sha |
server |
rsa_with_3des_ede_cbc_sha |
tls_rsa_with_3des_ede_cbc_sha_mutual |
client/server |
rsa_with_3des_ede_cbc_sha |
tls_rsa_with_aes_256_cbc_sha |
server |
rsa_with_aes_256_cbc_sha |
tls_rsa_with_aes_256_cbc_sha_mutual |
client/server |
rsa_with_aes_256_cbc_sha |
tls_rsa_with_aes_128_cbc_sha |
server |
rsa_with_aes_128_cbc_sha |
tls_rsa_with_aes_128_cbc_sha_mutual |
client/server |
rsa_with_aes_128_cbc_sha |
tls_rsa_with_des_cbc_sha |
server |
rsa_with_des_cbc_sha |
tls_rsa_with_des_cbc_sha_mutual |
client/server |
rsa_with_des_cbc_sha |
tls_rsa_with_rc4_128_sha |
server |
rsa_with_rc4_128_sha |
tls_rsa_with_rc4_128_sha_mutual |
client/server |
rsa_with_rc4_128_sha |
tls_rsa_export_with_rc4_40_md5 |
server |
rsa_export_with_rc4_40_md5 |
tls_rsa_export_with_rc4_40_md5_mutual |
client/server |
rsa_export_with_rc4_40_md5 |
Right-click the profile entry you want to delete and select Delete.
Follow the wizard instructions to delete the security profile.
