Ssl sections, Ssl options – HP Secure Key Manager User Manual
Page 165
In this scenario, the client application indicates that it is willing to perform an SSL resume (rather than
a full handshake) by sending a previously negotiated session–id in the CLIENT–HELLO message. The
SKM checks that it has the session key for the given session–id. If so, it acknowledges that it is willing
to resume the session by using the same session–id in the SERVER–HELLO message. Otherwise, the
SKM responds with a new session–id.
SSL Session Timeout
All SSL sessions stored in the SKM’s session cache have an expiration period, typically two hours.
This means the SKM accepts a session resume request for at most two hours after the session is first
established. Consequently, every client application must renegotiate a session–key at least once every
two hours. This limits the amount of information encrypted with a particular session–key. Hence, an
attacker who is able to deduce a session key would only obtain the information exchanged during a
two hour window. The SSL session timeout on the SKM is configured on the SSL Configuration page, as
described later in this chapter.
SSL Certificate Management on the SKM
Certificates are used to authenticate one entity to another. This authentication takes place during the
SSL handshake protocol. Certificates are issued by Certification Authorities (CA’s) such as VeriSign,
Entrust, Thawte, and others. The SKM is equipped with CA capabilities, and can issue certificates for
all your applications.
When establishing an SSL connection with a client, you can require that the client authenticate itself to the
SKM by presenting a certificate. Because the SKM can issue certificates to applications and databases,
there is no need for you to use a public CA such as VeriSign to issue these certificates. You can generate
these certificates on the SKM.
The HP CA is managed on the CA Certificates page. To issue certificates for your applications, you must
first create a local CA on the SKM. This local CA is then used to issue certificates for all your applications.
Local certificates issued by the HP CA are only valid for authenticating to the SKM.
SSL Sections
The SSL Configuration page enables you to manage your SSL settings. This page contains the following
SSL-related sections:
• SSL Options
• SSL Cipher Order
SSL Options
Use this section to view and modify SSL settings. These settings affect the KMS Server’s communication
with client applications and databases when SSL is enabled. These settings also affect all connections to
the web-based Management Console.
By default, applications using SSL 2.0 (an older version of SSL) are not allowed to connect to the KMS
Server. SSL 2.0 is known to have some security vulnerabilities.
NOTE:
FIPS-compliant devices
cannot
use the default SSL configuration. On those devices, you must enable
TLS 1.0 and disable SSL 2.0 and 3.0.
IMPORTANT:
Some web browsers, including Internet Explorer 6.0, do not have TLS 1.0 enabled by default. If you
disable SSL 2.0 and 3.0, please check first that your browser has TLS 1.0 enabled. (In Internet Explorer,
select Internet Options from the Tools menu, click the Advanced tab, scroll down to the Security section,
and make sure the "Use TLS 1.0" checkbox is checked.)
Secure Key Manager
165