DO NOT SHARE THESE DOCS WITH CUSTOMERS!
This is an LA release that will only be provided to a select number of PLM-sanctioned customers (PDFs only). Contact PLM for details.
In this section:
The SBC Core supports interfacing with the common certificate pool. The certificates used for HTTPS are exported from the database to the local disk space. The EMA TLS
profile enables the selection of a certificate from the pool. The All Perspective allows importing of new certificates. EMA provides a tool to support certificate upload. The Certificate Upload tool is available under PKI object (System > Security > PKI). Once this action item is selected, an external window is directed to the Certificate Upload Servlet. Two types of files, p12 and pem, are supported.
The SBC also supports SHA-256 for certificate verification.
The user may configure up to three client CA certifications (using separate 'set' commands) for an EMA TLS Profile.
PC Java Configuration supports TLS 1.0 only by default. When EmaTlsProfile v1_0 is disabled, the corresponding Java Configuration for TLS support must be enabled. See below example for Windows environment:
To enable TLS support in Windows:
The https
interfaces of Embedded Management Application (EMA) and Platform Mode (PM) are vulnerable to the BEAST attack. Secure Sockets Layer (SSL) BEAST attack affects only Transport Layer Security (TLS) version 1.0, and not the later versions. For further details, refer to the external link http://www.kb.cert.org/vuls/id/864643.
Generally, stream ciphers are not affected by the BEAST attack. However RC4 is the only stream cipher standardized for use with TLS 1.0, and its use is prohibited for TLS with the RFC7465 standards.
For the installation/upgrade process of SBC Core 6.0, the possible scenarios are as follows:
If the configuration of the EMA Tls Profile changes from the pre-6.0 defaults, the upgrade process does not attempts to apply the new defaults.
Enabling TLS 1.0 creates security risks, and is strongly advised against. To avoid security loopholes, upgrade to newer browser versions that supports TLS 1.1 and TLS 1.2. Disable TLS 1.0, and enable TLS 1.2 for protection against BEAST attacks.
On the SBC Core main screen, go to Configuration > System Provisioning > Security Configuration > Ema Tls Profile. The Ema Tls Profile window is displayed.
Security Configuration - Ema Tls Profile
To edit any of the Ema Tls Profile in the list, click the radio button next to the specific Ema Tls Profile name.
Security Configuration - Ema Tls Profile Highlighted
The Edit Selected Ema Tls Profile window is displayed below.
Security Configuration - Ema Tls Profile Edit Window
Make the required changes and click Save at the right hand bottom of the panel to save the changes made.
To create a new Ema Tls Profile, click New Ema Tls Profile tab on the Ema Tls Profile List panel.
Security Configuration - Ema Tls Profile Fields
The Create New Ema Tls Profile window is displayed.
You can create only one Ema Tls Profile. Once the entry is created, the
button disappears from the panel.Security Configuration - Ema Tls Profile Create Window
The following fields are displayed:
Ema Tls Profile Parameters
Parameter | Description |
---|---|
Name | Specifies the name of the EMA-TLS profile. |
Auth Client | If this field is set to true, the Ema-TLS client is forced to authenticate itself EMA-TLS. If this field is set
|
Server Cert Name | Specifies the name of the server certificate referred by this EMA-TLS profile. |
Ocsp Profile Name | Specifies the name of the OCSP profile referred by this TLS profile. |
V1_0 | TLS protocol version 1.0.
|
V1_1 | TLS protocol version 1.1.
|
V1_2 | TLS protocol version 1.2.
|
To delete any of the created Ema Tls Profile, click the radio button next to the specific Ema Tls Profile which you want to delete.
Security Configuration - Ema Tls Profile Highlighted
Click Delete at the end of the highlighted row. A delete confirmation message appears seeking your decision.
Security Configuration - Ema Tls Profile Delete Confirmation
Click OK to remove the specific Ema Tls Profile from the list.