Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Add_workflow_for_techpubs
AUTH1UserResourceIdentifier{userKey=8a00a0c880e94aad0181077fa2530009, userName='null'}
JIRAIDAUTHSBX-122871131004
REV5UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb8305e98a00a02355cd1c2f0155cd26cd5909df, userName='null'}
REV6UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb8305e98a00a02355cd1c2f0155cd26cd5909df, userName='null'}
REV3UserResourceIdentifier{userKey=8a00a0c86573c09001659db4327e00188a00a0c880e94aad0181077fa2530009, userName='null'}
REV1UserResourceIdentifier{userKey=8a00a0c86268f97a01627564e14800178a00a0c880e94aad0181077fa2530009, userName='null'}

The The 

Spacevars
0product
EMA is enhanced to interface with the common certificate pool using the EMA TLS Profile. The certificates used for HTTPS are exported from the database to the local disk space, and then the EMA TLS Profile facilitates selecting a certificate from the pool and uploading it to the EMA. Two types of files are supported: p12 and pem, . The SBC supports SHA-256 for certificate verification.

You can configure only one EMA TLS Profile at any given time.

Excerpt Include
_OneCertificateSupport
_OneCertificateSupport
nopaneltrue

Note

You can configure up to three 20 client CA certifications (using separate 'set' commands) for an EMA TLS Profile.


Warning

PC Java Configuration supports TLS 1.0 only by default. When you disable EmaTlsProfile v1_0, enable the corresponding Java Configuration for TLS support. See the example below for the Windows environment.


Note

After configuring servercert and clientCACert in EmaTlsProfile, an appropriate value must be configured for clientAuthMethod in OAM > EMA to enable client SSL verification.

To enable TLS support in Windows:

  1. Click Start and enter "Java Control Panel" in the Search field.
  2. Launch the Java Control Panel program.
  3. From the Java Control Panel, select Advanced tab.
  4. Check both "Use TLS 1.1" and "Use TLS 1.2" options under Advanced Security Settings section, and click Apply.
  5. Restart your browser for the changes to take effect.

Command Syntax

Code Block
languagenone
% set profiles security EmaTlsProfile <EMA TLS profile name>
	ClientCaCert <CA certificate name>
	authClient <false | true>
	ocspProfileName <OCSP profile name>
	serverCertName <server certificate>
	v1_0 <disabled | enabled>
	v1_1 <disabled | enabled>
	v1_2 <disabled | enabled>
	ciphersuite <ciphersuite name>

% show profiles security EmaTlsProfile <EMA TLS profile name> ClientCaCert <CA certificate name>
% delete profiles security EmaTlsProfile <EMA TLS profile name> ClientCaCert <CA certificate name>

% show profiles security EmaTlsProfile <EMA TLS profile name> ciphersuite <ciphersuite name>
% delete profiles security EmaTlsProfile <EMA TLS profile name> ciphersuite <ciphersuite name>

Command Parameters

The EMA TLS Profile parameters are as shown below:


ParameterLength/RangeDescription
<EMA TLS Profile name>1-23 characters

The name of the EMA TLS Profile. 

Note: You can configure only one EMA TLS Profile at any given time.

ClientCaCertN/AThe name of the EMA-CA certificate associated with this EMA-TLS profile.
authClientN/A


Set flag to "true" to force the EMA-TLS client to authenticate itself within TLS. 

  • false
  • true (default)
ocspProfileNameN/A The name of the OCSP profile associated with this EMA-TLS profile.
serverCertNameN/A The name of the server certificate associated with this EMA-TLS profile.
v1_0N/A

TLS protocol version 1.0

  • disabled (default)
  • enabled
v1_1N/A

TLS protocol version 1.1

  • disabled (default)
  • enabled
v1_2N/A

TLS protocol version 1.2

  • disabled
  • enabled (default)
ciphersuite N/AThe EMA TLS Ciphersuite choice for this profile. See Supported ciphersuites for the list of supported ciphersuites.

Anchor
Supportedciphersuites
Supportedciphersuites
Supported ciphersuites

The following 12 SSL ciphersuites are supported initially in this feature. This list may change in the future based on requirements.

Caption
0Table
1List of Supported CipherSuites in EMA TLS Profile


CiphersuiteOpenSSL representationVersionKxAuEncMacUsed in SBC Common Criteria Mode
AES128-SHAAES128-SHASSLv3RSARSAAES(128)SHA1Yes
AES256-SHAAES256-SHASSLv3RSARSAAES(256)SHA1Yes
AES128-SHA256AES128-SHA256TLSv1.2RSARSAAES(128)SHA256Yes
AES256-SHA256AES256-SHA256TLSv1.2RSARSAAES(256)SHA256Yes
ECDHE-RSA-AES128-SHAECDHE-RSA-AES128-SHATLSv1ECDHRSAAES(128)SHA1

Yes

ECDHE-RSA-AES128-SHA256ECDHE-RSA-AES128-SHA256TLSv1.2ECDHRSAAES(128)SHA256No
ECDHE-RSA-AES128-GCM-SHA256ECDHE-RSA-AES128-GCM-SHA256TLSv1.2ECDHRSAAESGCM(128)AEADYes
ECDHE-RSA-AES256-SHAECDHE-RSA-AES256-SHATLSv1ECDHRSAAES(256)SHA1No
ECDHE-RSA-AES256-SHA384ECDHE-RSA-AES256-SHA384TLSv1.2ECDHRSAAES(256)SHA384Yes
ECDHE-RSA-AES256-GCM-SHA384ECDHE-RSA-AES256-GCM-SHA384TLSv1.2ECDHRSAAESGCM(256)AEADYes
AES128-GCM-SHA256AES128-GCM-SHA256TLSv1.2RSARSAAESGCM(128)AEADYes
AES256-GCM-SHA384AES256-GCM-SHA384TLSv1.2RSARSAAESGCM(256)AEAD

Yes



Command Example

Code Block
languagenone
% show profiles security EmaTlsProfile
EmaTlsProfile defaultEmaTlsProfile {
    authClient     true;
    serverCertName defaultSBCCert;
    v1_0           disabled;
    v1_1           disabled;
    v1_2           enabled;
	ciphersuite AES128-GCM-SHA256
}