Configuring security profiles

A security profile is used by an endpoint to define authentication and Transport Layer Security (TLS) settings for that endpoint. To enable TLS for the endpoint, you must enable TLS in the security profile and the security profile must have an associated certificate profile that defines the server certificate that is used to control TLS. To create a security profile with TLS enabled, you must create the certificate profile before you create the security profile. You can configure security profiles either by using the Amlen WebUI or by using REST Administration APIs.

You can configure the security profile to ensure that you comply with the NIST 800-131a requirements. For more information, see NIST 800-131a. For more information about security profiles and certificate profiles, see Transport Layer Security.

When you create a security profile, you must specify the following property:
  • Name
    Specifies the name that identifies the security profile.

    The name can be a maximum of 32 alphanumeric characters. The first character must not be a number.

You can also specify the following TLS properties. For more information about TLS, see Transport Layer Security.
  • TLSEnabled
    Specifies whether TLS is enabled on the endpoints that use the security profile. TLS is enabled by default.
    If you specify that TLS is enabled, you must first create a certificate profile to use with the security profile.
  • CertificateProfile
    Specifies an existing certificate profile to use with the security profile. You must specify a certificate profile if TLS is enabled in the security profile. The certificate profile is not used if TLS is disabled in the security profile.
  • MinimumProtocolMethod
    Specifies the lowest level of protocol that is allowed when a client connects to Eclipse Amlen.
    You can choose from the following levels:
    • TLS v1.0
    • TLS v1.1
    • TLS v1.2
  • Ciphers
    Specifies the encryption algorithm that is used by the security policy.
    You can choose from the following ciphers:
    • Best: The most secure cipher that is supported by the server and the client.
    • Fast: The fastest high security cipher that is supported by the server and the client.
    • Medium: The fastest medium or high security cipher that is supported by server and the client.
  • UseClientCipher
    Specifies whether the client can determine the cipher use when it connects to Eclipse Amlen. Only the ciphers that are supported by both client and server can be chosen. If Use Client Ciphers is specified, then the client selects the cipher that is used to connect to Eclipse Amlen. If Use Client Ciphers is not specified, then the server selects the cipher.
  • UseClientCertificate
    Specifies whether to use (true) or not use (false) client certificate authentication.
    This value can be true or false.
    If you are using a certificate revocation list you must set this value to true.
You can also specify the following authentication properties:
  • UsePasswordAuthentication
    Specifies whether the client must have a valid user ID and password when it connects to Eclipse Amlen.
  • LTPAProfile
    Specifies an existing LTPA profile to use with the security profile.
    If you specify an LTPA profile, password authentication is automatically enabled.
    If you specify an LTPA profile, you cannot specify an OAuth profile in the same security profile.
  • OAuthProfile
    Specifies an existing OAuth profile to use with the security profile.
    If you specify an OAuth profile, password authentication is automatically enabled.
    If you specify an OAuth profile, you cannot specify an LTPA profile in the same security profile.

For more information about configuring security profiles by using the Amlen WebUI, see Configuring security profiles by using the Amlen WebUI.

For more information about configuring security profiles by using REST Administration APIs, see Creating and updating a security profile by using REST Administration APIs.