Transport Layer Security

As an administrator, you can use certificate profiles and security profiles to configure Transport Layer Security (TLS) for Eclipse Amlen endpoints.

TLS is controlled by the security profile that is associated with an endpoint. A security profile defines the security operations that are applied to a message flow. If TLS is enabled, the security profile must have an associated certificate profile that defines the server certificate to use. Server certificates protect against impersonation, certifying that a public key belongs to a specified entity.

You can also disable TLS in a security profile. You might consider disabling TLS for communication that occurs behind a firewall. For example, if TLS traffic is managed by load balancers, you might choose to disable TLS for communication between the load balancers and Eclipse Amlen. Disabling TLS can lead to improved performance in Eclipse Amlen when TLS is already operating on communication outside the firewall. For more information about enabling and disabling TLS in Eclipse Amlen, see Configuring security profiles.

TLS can be configured within an endpoint if the endpoint specifies a security profile. Endpoints are associated with message hubs and control how clients can connect to Eclipse Amlen. Each endpoint can specify a security profile. The security profile determines the client authentication method and whether TLS is used. If TLS is enabled, then the TLS configuration settings in the security profile are used.

Configuring certificates

What is a certificate? Certificates can be called public key certificates, digital certificates or identity certificates. Digital certificates are digitally signed data structures that bind public keys to subjects by a trusted certificate authority or certification authority.

Complete the following steps to configure TLS on Eclipse Amlen:
  1. Upload a certificate and create a certificate profile.

    A certificate profile defines the certificate, associated key, and any password that is used by an endpoint to establish a secured connection from a client. You need only one certificate profile for each certificate and key pair. The certificate in the profile is used during the SSL handshake between a client and an endpoint. The certificate verifies to the client that it is communicating with Eclipse Amlen, and not with an unknown server.

    The certificate must be a PEM format certificate, and the associated private key must be an RSA private key. If you have root and intermediate CA certificates, you can combine these certificates into a single file with the server certificate to create a trust chain. Upload the single file as the certificate file.

    For information about certificates, and how to obtain certificates, see Digital certificates.

    For more information about creating a certificate profile, see Configuring security.

  2. Create a security profile with TLS enabled and specify the certificate profile that you created. A certificate profile can be associated with one or more security profiles. You can associate a security profile with one or more endpoints. In addition to the certificate profile, the security profile defines the TLS configuration properties to secure communications with an endpoint:
    Minimum protocol method
    TLS provides secure communication for messages that flow between the client and Eclipse Amlen. The Eclipse Amlen supports multiple encryption versions: TLS v1, TLS v1.1, TLS v1.2.

    The different version levels of TLS show the progression of standards. Each new version modifies the client and server interchanges, and adds or removes ciphers to the support list. To make a connection between the client and Eclipse Amlen, the same version must be supported by both the client and Eclipse Amlen. For best security, use as high a version as possible. For best compatibility, support as many versions as possible. By selecting a minimum version, clients can connect with that minimum version, and all of the newer versions.

    If you use TLS v1.0, use Medium level ciphers with UseClientCipher set to false. This setting ensures that the cipher is chosen from a list of client-supported ciphers that are stored on the server. Alternatively, use Medium level ciphers with newer browsers.

    TLS v1.1 can be used as the lowest version, if all of the clients are updated to support it. You might choose this version at edge of network, and for high value information provided it is acceptable to not allow older clients.

    TLS v1.2 adds a set of improved and higher bit count ciphers. TLS v1.2 offers the best security from the versions listed. However, this version might have problems with compatibility as many clients do not support this version. TLS v1.2 is the best choice in a controlled client and server environment, where all of the clients are known to run on newer systems.

    Ciphers
    Ciphers specify the encryption algorithm used.

    Organizations often have rules for the quality of ciphers used. Setting the cipher to Best, selects ciphers that are supported by both the client and server, in order of quality. As a result, the higher bit count ciphers that are slower to process are selected. Setting the cipher to Fast selects lower bit count ciphers ahead of the highest-quality ciphers. Setting the cipher to Fast improves performance with little loss of security. Setting the cipher to Medium selects lower bit count ciphers that can be used with TLS v1.0, even with older browsers.

    The cipher can be selected by either the server or the client. If you set UseClientCipher to true, then the cipher is selected by the client. Using Best or Fast sets the supported cipher list to the list of high-quality ciphers. If client is selected, Best and Fast are the same because the first supported cipher in the client list of high-quality ciphers is selected. If you set UseClientCipher to False, then the cipher is selected by the server. The server chooses the cipher to use from the list of ciphers that the client supports. If you specify Best, then the cipher is selected in strength order from the high-quality cipher list. If you specify Fast, then the fastest supported cipher from the high-quality cipher list is selected.

    For a complete list of ciphers that are used by Eclipse Amlen, see Supported cipher lists.

    Use Client Ciphers
    Specifies whether the client can determine the cipher use when it connects to Eclipse Amlen. Only the ciphers that are supported by both client and server can be chosen. If Use Client Ciphers is specified, then the client selects the cipher that is used to connect to Eclipse Amlen. If Use Client Ciphers is not specified, then the server selects the cipher.
    Client Certificate Authentication
    Specifies whether to authenticate the certificate that is presented by the client against the trusted certificates for this security profile.
    For more information about client certificates and the truststore, see Client certificate authentication.

    For more information about creating a security profile, see Configuring security.

  3. Associate the security profile with an endpoint on a message hub.

    For more information about configuring message hubs, see Configuring message hubsConfiguring message hubs.

Replacing server certificates

If you need to replace a certificate, for example if the certificate is due to expire, you can upload a new certificate and associate it with the certificate profile that references the certificate that you need to replace.

Related links