Chapter 5 Security Configuration
Security profiles
Security profiles define the security characteristics of a
client-Jaguar session. You assign a security profile to a listener,
which is a port that accepts client connection requests of various
protocols. A Jaguar server can support multiple listeners. Clients
that support the same characteristics can communicate to Jaguar
via the port defined in the listener.
Each security profile has an associated security characteristic.
A security characteristic is a name that has a set of CipherSuites
associated with it. A security characteristic, along with the CipherSuites,
defines these characteristics of a client/server connection:
- Protocol - all
profiles use SSL version 3 as the underlying protocol. IIOPS and
HTTPS traffic is tunneled through SSL.
- Authentication - whether
or not authentication is used. Profiles can support:
- No authentication - neither client nor server need
to provide a certificate for authentication.
- Server authentication - only the server
needs to provide a certificate to be accepted or rejected by the
client.
- Client and server authentication - both
the client and server supply certificates to be accepted or rejected
by the other.
- Encryption
strength and method - whether or not data is encrypted,
and if so, the key strength and method of the encryption.
- International
use - all CipherSuites are available domestically, but
not all are suitable for export outside of the United States and
Canada.
- Hashing method - the method used to create
the message digest.
For example, the CipherSuite SSL_RSA_WITH_NULL_MD5 can
be interpreted as:
SSL - the protocol used. All profiles use SSL.
RSA - the key exchange algorithm used.
NULL - no encryption.
MD5 - the hash method used to compute the message
digest.
Table 5-3 and Table 5-4 clarify the relationship
between CipherSuite terminology and security characteristics.
Table 5-3: CipherSuite terms
Name
|
Defines
|
Description
|
|---|
SSL
|
Protocol
|
SSL (Secure Sockets Layer) protocol uses
public-key encryption to establish secure Internet communications.
|
RSA
DH_anon
|
Key exchange algorithm
|
RSA and DH (Diffie-Hellman) are public-key cryptography
systems, which define both authentication and encryption:
- RSA provides full encryption and authentication support.
- DH_anon provides only encryption support.
|
EXPORT
|
Suitable for export
|
Because of export regulations, some CipherSuites are
not suitable for export. Only CipherSuites that contain the word
EXPORT are suitable for international use.
|
NULL
|
No encryption
|
Data is not encrypted.
|
DES
3DES
DES40
RC4_40
RC4_128
|
Encryption algorithms
|
System: Key length:
DES 56
3DES 168
DES40
40
RC4_40 40
RC4_128
128
The greater the key length, the greater the encryption strength.
|
EDE
CBC
|
Encryption and decryption modes
|
CBC and EDE are modes by which DES algorithms are
encrypted and decrypted.
|
SHA
MD5
|
Hash function
|
SHA and MD5 are hash methods used to
compute the message digest when generating a digital signature.
|
Browsers do not support anonymous CipherSuites.
There
are four categories of security characteristics:
- Simple - the
predefined characteristics sybpks_simple and sybpks_simple_mutual_auth offer
authentication but no encryption.
- Strong - the predefined characteristics sybpks_strong and sybpks_strong_mutual_auth offer
greater domestic encryption strength.
- Domestic - all
characteristics are suitable for domestic use. Clients using international
CipherSuites can connect to servers using domestic security characteristics.
- International - because of export regulations,
only these characteristics are suitable for export:
- sybpks_simple
- sybpks_simple_mutual_auth
- sybpks_intl
- sybpks_intl_mutual_auth
Table 5-4 lists
the name, the level of authentication, and the supported CipherSuites
for each security characteristic.
Table 5-4: Security characteristics
Name
of characteristic
|
Authenticates
|
CipherSuites
|
|---|
sybpks_simple
|
server
|
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_MD5
|
sybpks_simple_mutual_auth
|
client/server
|
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_MD5
|
sybpks_strong
|
server
|
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
|
sybpks_strong_mutual_auth
|
client/server
|
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
|
sybpks_intl
|
server
|
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_MD5
|
sybpks_intl_mutual_auth
|
client/server
|
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_MD5
|
sybpks_domestic
|
server
|
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_MD5
|
sybpks_domestic_mutual_auth
|
client/server
|
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_MD5
|
sybpks_domestic_anon
|
none
|
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_WITH_DES_CBC_SHA
The sybpks_domestic_anon profile is used
for anonymous Diffie-Hellman communications. Neither the client
nor the server is authenticated
|
Configuring security profiles
This section describes how to create, modify, and delete a
security profile. All of the configuration tasks require you to
first access the Security Profiles folder. To do this, highlight
the Security Profiles folder from Jaguar Manager.
See Table 5-5 when creating, modifying,
or deleting a security profile.
To create a new security profile:
-
Select File | New Security Profile.
-
Enter the name of the new security profile. Click Create
New Security Profile.
-
Complete the Security Profile sheet. Click Advanced
to modify the default settings for the advanced SSL settings. Click
Save. See "General, advanced, and Entrust profile properties " for
a description of the security profile properties.
If you are using an Entrust ID, select the Use Entrust check
box. Click the Entrust Tab and provide the Entrust information required
to access your Entrust ID.
The new security profile now appears on the right side of
the window when the Security Profiles folder on the left side of
the window is highlighted.
To modify an existing security profile:
-
Highlight the security profile you want to modify.
-
Select File | Security Profile Properties.
-
Modify the properties. Click Save when finished. See "General, advanced, and Entrust profile properties " for a description
of the profile properties.
To delete a security profile:
-
Highlight the profile entry you want to delete.
-
Select File | Delete Security Profile.
Table 5-5: General, advanced, and Entrust profile properties
Property
|
Description
|
Comments/example
|
|---|
Name
|
The name you give to the security
profile.
|
|
Description
|
A description of the security profile.
|
|
Use Entrust
|
Select this check box to use an Entrust
ID instead of a certificate contained in the Sybase PKCS #11 token.
|
Selecting this check box prevents access
to the certificates contained in the Sybase token.
|
Security Characteristic
|
Select a name from the drop-down list
of predefined security characteristics to use for this profile.
|
See Table 5-4 for a description of security
characteristics and the CipherSuites they support.
|
Description
|
A description of the selected security characteristic.
|
Each security characteristic comes with
a description of its features.
|
Sybase PKCS #11 Token Certificate Label
|
From the drop-down list, enter the certificate
label you want to use for this security profile.
If you have not provided the PIN for the Sybase PKCS #11
token, you will be prompted for one. This is the same PIN that you enter
to access Security Manager.
|
If you are using an Entrust ID and click
the Use Entrust check box, this property does not appear.
See "Certificate management" for
more information on certificates.
|
SSL Cache Size
|
Specifies the number of entries in SSL
session cache maintained by the server. The default cache size is
30.
|
These are advanced
SSL parameters. They should be set only by someone who is knowledgeable about
SSL.
SSL reuses the previously negotiated security session parameters
in a number of short-lived connections, which results in a relatively
large performance gain over setting up completely new security sessions
for each connection. When a security session is reused, clients
avoid a CPU-intensive encryption of the premaster-secret using the
server's public key. Similarly, servers avoid a CPU-intensive
decryption of the premaster-secret using its private key. By configuring
these parameters, you can control SSL caching on the server side.
|
SSL Session Share
|
Specifies the number of concurrent users
(sessions) that can simultaneously use the same session entry (ID)
in the session cache. The default session share size is 10.
|
SSL Session Linger
|
Specifies the duration for which a session
entry is kept in the SSL session cache after the last SSL session
using this session ID was closed. The default session linger is
eight hours.
|
Set Defaults
|
Select the Set Defaults check box to
restore all of the advanced settings to their default levels.
|
|
Specify the Entrust INI File
|
Enter the complete path to the Entrust
initialization file.
|
You can also use the browse feature to locate
this file. For example, on Windows NT: %SystemRoot%\entrust.ini
|
Entrust User Profile
|
Enter the complete path to the Entrust
user profile file.
|
You can also use the browse feature to locate
this file. There is no default.
|
Entrust Password
|
The password to the Entrust login for
this Entrust user profile.
|
|
Allow non-Entrust client
|
Click this check box to allow non-Entrust
clients to connect to listeners that use an Entrust ID.
|
|
|
Copyright © 2000 Sybase, Inc. All rights reserved.
|
|