Ssl session timeout, Ssl certificate management on the skm, Ssl sections – HP Secure Key Manager User Manual

Page 181: Ssl options

Advertising
background image

SSL Session Timeout

All SSL sessions stored in the SKM's session cache have an expiration period, typically two hours.
This means the SKM accepts a session resume request for at most two hours after the session is first
established. Consequently, every client application must renegotiate a session–key at least once every
two hours. This limits the amount of information encrypted with a particular session–key. Hence, an
attacker who is able to deduce a session key would only obtain the information exchanged during a
two hour window. The SSL session timeout on the SKM is configured on the SSL Configuration page,
as described later in this chapter.

SSL Certificate Management on the SKM

Certificates are used to authenticate one entity to another. This authentication takes place during the
SSL handshake protocol. Certificates are issued by Certification Authorities (CA's) such as VeriSign,
Entrust, Thawte, and others. The SKM is equipped with CA capabilities, and can issue certificates for
all your applications.

When establishing an SSL connection with a client, you can require that the client authenticate itself
to the SKM by presenting a certificate. Because the SKM can issue certificates to applications and
databases, there is no need for you to use a public CA such as VeriSign to issue these certificates.
You can generate these certificates on the SKM.

The HP CA is managed on the CA Certificates page. To issue certificates for your applications, you
must first create a local CA on the SKM. This local CA is then used to issue certificates for all your
applications. Local certificates issued by the HP CA are only valid for authenticating to the SKM.

SSL Sections

The SSL Configuration page enables you to manage your SSL settings. This page contains the following
SSL-related sections:

SSL Options
SSL Cipher Order

SSL Options

Use this section to view and modify SSL settings. These settings affect the KMS Server's communication
with client applications and databases when SSL is enabled. These settings also affect all connections
to the web-based Management Console.

By default, applications using SSL 2.0 (an older version of SSL) are not allowed to connect to the KMS
Server. SSL 2.0 is known to have some security vulnerabilities.

NOTE:

FIPS-compliant devices

cannot use the default SSL configuration. On those devices, you must enable

TLS 1.0 and disable SSL 2.0 and 3.0.

Secure Key Manager

181

Advertising
Popular Brands
Popular manuals