The SBC Core supports interfacing with the common certificate pool. The certificates used for HTTPS are exported from the database to the local disk space. The EMA TLS profile enables the selection of a certificate from the pool. The All Perspective allows importing of new certificates. EMA provides a tool to support certificate upload. The Certificate Upload tool is available under PKI object (System > Security > PKI). Once this action item is selected, an external window is directed to the Certificate Upload Servlet. Two types of files, p12 and pem, are supported.

The SBC also supports SHA-256 for certificate verification.


The SBC supports only one certificate in a local or remote certificate file. For example, a p12 certificate file can contain one local certificate and its privacy key.

The user may configure up to three client CA certifications (using separate 'set' commands) for an EMA TLS Profile.


Note
Ribbon recommends using the highest TLS version supported by both the SBC and the peer equipment.

PC Java Configuration supports TLS 1.0 only by default. When EmaTlsProfile v1_0 is disabled, the corresponding Java Configuration for TLS support must be enabled. See below example for Windows environment:

After configuring servercert and clientCACert in EmaTlsProfile, an appropriate value must be configured for clientAuthMethod in OAM > EMA to enable client SSL verification.

To enable TLS support in Windows:

  1. Click Start and enter "Java Control Panel" in the Search field.
  2. Launch the Java Control Panel program.
  3. From the Java Control Panel, select Advanced tab.
  4. Verify that the "Use TLS 1.2", and "Use TLS 1.3" options under Advanced Security Settings section are checked, and click Apply.
  5. Restart your browser for the changes to take effect.


Caution

The https interfaces of Embedded Management Application (EMA) and Platform Mode (PM) are vulnerable to the BEAST attack. The Secure Sockets Layer (SSL) BEAST attack affects only Transport Layer Security (TLS) version 1.0, not later versions.  For further details, refer to the external link: https://www.kb.cert.org/vuls/id/864643.

Stream ciphers are generally not affected by the BEAST attack. However, RC4 is the only stream cipher standardized for use with TLS 1.0, and its use is prohibited for TLS with the RFC7465 standards.

For the installation/upgrade process of SBC Core, the possible scenarios are as follows:

  • If the TLS 1.0, 1.1, 1.2, and 1.3 defaults are set, then TLS 1.0 is disabled in the default PM/EMA Tls profile.
  • If the defaults for TLS 1.0, 1.1, 1.2, and 1.3 are not set, the user-provided configuration is preserved.

If the EMA TLS Profile configuration changes from the pre-installation/upgrade defaults, the upgrade process does not attempt to apply the new defaults.Enabling TLS 1.0 creates security risks and is strongly advised against. Upgrade to newer browser versions that support TLS 1.1, TLS 1.2, and TLS 1.3 to avoid security loopholes. Disable TLS 1.0

Warning

Enabling TLS 1.0 creates security risks, and is strongly advised against. Upgrade to newer browser versions that support TLS 1.1, TLS 1.2, and TLS 1.3 to avoid security loopholes. Disable TLS 1.0, and enable TLS 1.3 for protection against BEAST attacks.

To View Ema TLS Profile

On the SBC Core main screen, choose a path:

  • All Profiles > Security > Ema TLS Profile
  • Configuration > Security Configuration > Ema TLS Profile
  • Configuration > Profile Managment > Security Profiles > Ema TLS Profile

 The Ema TLS Profile window is displayed.

To Edit Ema TLS Profile

To edit any of the Ema TLS Profile in the list, click the radio button next to the specific Ema TLS Profile name.

The Edit Selected Ema TLS Profile window is displayed below.

Make the required changes and click Save.

To Create Ema TLS Profile

Note

You can create only one Ema TLS Profile.

Once the entry is created, the Create New Ema TLS Profile button disappears from the panel.

To create a new Ema TLS Profile, click New Ema TLS Profile tab on the Ema TLS Profile List panel.

The Create New Ema TLS Profile window is displayed.

Ema TLS Profile Parameters:

ParameterDescription
NameSpecifies the name of the EMA-TLS profile. 
Auth Client

If this field is set to true, the Ema-TLS client is forced to authenticate itself EMA-TLS. The options are:

  • False
  • True (default)
Server Cert NameSpecifies the name of the server certificate referred by this EMA-TLS profile. 
Ocsp Profile NameSpecifies the name of the OCSP profile referred by this TLS profile. 
V1_0

TLS protocol version 1.0.

  • Disabled (default) 
  • Enabled 
V1_1

TLS protocol version 1.1.

  • Disabled (default)
  • Enabled
V1_2

TLS protocol version 1.2.

  • Disabled 
  • Enabled  (default) 
V1_3

TLS protocol version 1.3.

  • Disabled 
  • Enabled (default)

To Delete Ema TLS Profile

To delete any of the created Ema TLS Profile, click the radio button next to the specific Ema TLS Profile.

Click Delete at the end of the highlighted row. A delete confirmation message appears seeking your decision.

Click OK to remove the specific Ema TLS Profile from the list.