Chapter 11 Security Configuration Tasks


Configuring security profiles

Security profiles define the security characteristics of a client-EAServer session. You assign a security profile to a listener, which is a port that accepts client connection requests of various protocols. EAServer can support multiple listeners. Clients that support the same characteristics can communicate to EAServer via the port defined in the listener.

Each security profile has an associated security characteristic. A security characteristic is a name that has a set of CipherSuites associated with it. A security characteristic, along with the CipherSuites, defines these characteristics of a client/server connection:

For example, the CipherSuite SSL_RSA_WITH_NULL_MD5 can be interpreted as:

SSL - the protocol used. All profiles use SSL.

RSA - the key exchange algorithm used.

NULL - no encryption.

MD5 - the hash method used to compute the message digest.

Table 11-1 and Table 11-2 clarify the relationship between CipherSuite terminology and security characteristics.

Table 11-1: CipherSuite terms
Name Defines Description
SSL Protocol SSL protocol uses public-key encryption to establish secure Internet communications.
RSA
DH_anon
Key exchange algorithm RSA and DH (Diffie-Hellman) are public-key cryptography systems, which define both authentication and encryption:
  • RSA provides full encryption and authentication support.
  • DH_anon provides only encryption support.
EXPORT Suitable for export Because of export regulations, some CipherSuites are not suitable for export. Only CipherSuites that contain the word EXPORT are suitable for international use.
NULL No encryption Data is not encrypted.
DES
3DES
DES40
RC4_40
RC4_128
Encryption algorithms

System: Key length:

DES 56
3DES 168
DES40 40
RC4_40 40
RC4_128 128

The greater the key length, the greater the encryption strength.
EDE
CBC
Encryption and decryption modes CBC and EDE are modes by which DES algorithms are encrypted and decrypted.
SHA
MD5
Hash function SHA and MD5 are hash methods used to compute the message digest when generating a digital signature.

Note   Browsers do not support anonymous CipherSuites.

There are four categories of security characteristics:

Table 11-2 lists the name, the level of authentication, and the supported CipherSuites for each security characteristic.

Table 11-2: Security characteristics
Name of characteristic Authenticates CipherSuites
sybpks_simple server SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_MD5
sybpks_simple_mutual_auth client/server SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_MD5
sybpks_strong server SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
sybpks_strong_mutual_auth client/server SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
sybpks_intl server SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_MD5
sybpks_intl_mutual_auth client/server SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_MD5
sybpks_domestic server SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_MD5
sybpks_domestic_mutual_auth client/server SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_MD5
sybpks_domestic_anon none SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_WITH_DES_CBC_SHA

The sybpks_domestic_anon profile is used for anonymous Diffie-Hellman communications. Neither the client nor the server is authenticated.

Defining security profiles

This section describes how to create, modify, and delete a security profile. All of the configuration tasks require you to first access the Security Profiles folder. To do this, highlight the Security Profiles folder from Jaguar Manager.

See Table 11-3 when creating, modifying, or deleting a security profile.

Steps Creating a new security profile

  1. Select File | New Security Profile.
  2. Enter the name of the new security profile. Click Create New Security Profile.
  3. Complete the Security Profile sheet. Click Advanced to modify the default settings for the advanced SSL settings. Click Save. See "General, advanced, and Entrust profile properties " for a description of the security profile properties.

    If you are using an Entrust ID, select the Use Entrust check box. Click the Entrust Tab and provide the Entrust information required to access your Entrust ID.

The new security profile now appears on the right side of the window when the Security Profiles folder on the left side of the window is highlighted.


Steps Modifying an existing security profile

  1. Highlight the security profile you want to modify.
  2. Select File | Security Profile Properties.
  3. Modify the properties. Click Save when finished. See "General, advanced, and Entrust profile properties " for a description of the profile properties.

Steps Deleting a security profile

  1. Highlight the profile entry you want to delete.
  2. Select File | Delete Security Profile.

Table 11-3: General, advanced, and Entrust profile properties
Property Description Comments/example
Name The name you give to the security profile.
Description A description of the security profile.
Use Entrust Select this check box to use an Entrust ID instead of a certificate contained in the Sybase PKCS #11 token. Selecting this check box prevents access to the certificates contained in the Sybase token.
Security Characteristic Select a name from the drop-down list of predefined security characteristics to use for this profile. See Table 11-2 for a description of security characteristics and the CipherSuites they support.
Description A description of the selected security characteristic. Each security characteristic comes with a description of its features.
Sybase PKCS #11 Token Certificate Label From the drop-down list, enter the certificate label you want to use for this security profile.

If you have not provided the PIN for the Sybase PKCS #11 token, you are prompted for one. This is the same PIN that you enter to access Security Manager.
If you are using an Entrust ID and click the Use Entrust check box, this property does not appear.

See Chapter 12, "Managing Keys and Certificates" for more information on certificates.

SSL Cache Size The number of entries in SSL session cache maintained by the server. The default cache size is 30. Note   These are advanced SSL parameters. They should be set only by someone who is knowledgeable about SSL.

SSL reuses the previously negotiated security session parameters in a number of short-lived connections, which results in a relatively large performance gain over setting up completely new security sessions for each connection. When a security session is reused, clients avoid a CPU-intensive encryption of the premaster-secret using the server's public key. Similarly, servers avoid a CPU-intensive decryption of the premaster-secret using its private key. By configuring these parameters, you can control SSL caching on the server side.
SSL Session Share The number of concurrent users (sessions) that can simultaneously use the same session entry (ID) in the session cache. The default session share size is 10.
SSL Session Linger The duration for which a session entry is kept in the SSL session cache after the last SSL session using this session ID was closed. The default session linger value is eight hours.
Set Defaults Select the Set Defaults check box to restore all of the advanced settings to their default levels.
Specify the Entrust INI File Enter the complete path to the Entrust initialization file. You can use the browse feature to locate this file. For example, on Windows NT, %SystemRoot%\entrust.ini.
Entrust User Profile Enter the complete path to the Entrust user profile file. You can also use the browse feature to locate this file. There is no default.
Entrust Password The password to the Entrust login for this Entrust user profile.
Allow non-Entrust client Click this check box to allow non-Entrust clients to connect to listeners that use an Entrust ID.

 


Copyright © 2002 Sybase, Inc. All rights reserved.