Your suggested change has been received. Thank you.

Suggest A Change

Please Note:

SSL Configuration Parameters

CAPI
PKCS#11

CAPI

The following table lists the SSL configuration parameters for CAPI.

Parameter	Default	Recommended	Description
CA_File	no default		CA certificate used to sign the server certificate presented by the NAE Server to the client. The certificate can be stored in Microsoft Certificate Store or in a File. Depending on the location of the certificate, the value for the CA_File parameter changes as follows. Possible settings: • The path and file name - The path and file name of the CA certificate. The path need to be absolute. Don’t use quotes, even if the path contains spaces. For example: "CA_File=C:\SSL_Certs\72.162\xyz_CA.crt" • CA_Location\|CA common name or CA file path - The location and name/path of the CA certificate depending on the value set for `CA_Location`. CA_Location can have values `Cert_File_Path` or `Microsoft_Cert_Store`. These values are valid only for Windows. While for other platforms the `CA_Location` will have path of the CA file. In case of `Cert_File_Path`, path of the CA certificate file is given after `\|`. While for Microsoft Certificate Store, the common name of the CA certificate is given after `\|`. Example For Windows, if value is `Cert_File_Path`, then "CA_File=Cert_File_Path\|C:\SSL_Certs\72.162\xyz_CA.crt" Note: Using `Cert_File_Path` is same as the default setting. For Windows, if value is `Microsoft_Cert_Store`, then `CA_File=Microsoft_Cert_Store\|xyz` Where, xyz is the common name of the CA certificate. Note: For `Microsoft_Cert_Store`, the CA certificate must be imported under Trusted Root Certification Authorities of the Local Machine which is accessible only by the Admin users. For other platforms, the value is path of the CA file. For example: "CA_File=C:\SSL_Certs\72.162\xyz_CA.crt" As all the CipherTrust Manager servers in a clustered environment must have an identical configuration, all servers in the cluster use the same server certificate. You only need to point to one CA certificate in the `CA_File` system parameter. If you do not supply the CA certificate that was used to sign the server certificate used by the CipherTrust Manager, your client applications cannot establish SSL connections with any of the servers in the cluster. If a local CA on CipherTrust Manager was used to sign the NAE Server certificate, you can download the certificate for the local CA, and put that certificate on the client.
Cert_File_Location	Cert_File_Path		Determines the location from where the client certificate authentication will be done. This is only used when your SSL configuration requires clients to provide a client certificate to authenticate to CipherTrust Manager(s). Possible settings: • Cert_File_Path - The client certificate authentication is done from the location where client certificate is placed. • Microsoft_Cert_Store - The client certificate authentication is done from the Microsoft Certificate Store. • Microsoft_Cert_Store::Current_User - The client certificate authentication is done from Current User Certificate Store. • Microsoft_Cert_Store::Local_Machine - The client certificate authentication is done from Local Machine Certificate Store. Note: To securely access the client certificate and its corresponding private key from Current User certificate store, the application should run exclusively from that user account. • EToken - The client certificate authentication is done from the EToken.
Cert_File	no default		Stores the path and file name of the client certificate. This is used only when your SSL configuration requires clients to provide a client certificate to authenticate to CipherTrust Manager. This value depends on the option chosen in `Cert_File_Location`. Possible settings: The path and file name - The path and filename of the client certificate to be used for authentication. The path need to be absolute. Don’t use quotes, even if the path contains spaces. Client certificates must be PEM encoded. This value is set when `Cert_File_Location` is set to `Cert_File_Path`. • The common name (CN) - The Common Name of the certificate, placed in Microsoft Certificate Store or EToken. Note: This Common Name must be unique in the certificate store). This value is set when `Cert_File_Location` is set to `Microsoft_Cert_Store` or `EToken`. In this case, the `Key_File` and `Passphrase` can be left blank. Note: If this value is set for "path and file name", the certificate and private key must be present, even if CipherTrust Manager is not configured to request a client certificate.
EToken_Name	blank or no value		Stores the name of the EToken used to store the certificate. Possible setting: • The name of the EToken - The name of the specific EToken to be used to store the certificate. You can also leave this parameter blank. Leaving this parameter 'blank' means `EToken` is not being used to store the certificate.
EToken_Password	blank or no value		Stores the password of the `EToken` used to store the certificate. Possible setting: • The password of the EToken - The password of the specific EToken to be used to store the certificate. You can also leave it blank. Leaving this parameter 'blank' means `EToken` is not being used to store the certificate.
Key_File	no default		Refers to the private key associated with the client certificate specified in the `Cert_File` parameter. Possible setting: • The path and file name - The path need to be absolute. Don’t use quotes, even if the path contains spaces. The client private key must be in the PEM-encoded PKCS#8 format. As this key is encrypted, you must use the `Passphrase` parameter so that CipherTrust Manager can decrypt it. Note: For `Microsoft_Cert_Store` or `EToken`, this parameter can be left blank.
Passphrase_Encrypted	no	yes	Allows you to enable/disable passphrase obfuscation. Possible settings: • yes - The passphrase obfuscation is enabled. The passphrase can be obfuscated by using the command line utility (PassPhraseSecure) and stored in the `Passphrase` parameter. • no - The Disables the passphrase obfuscation. In this case, the passphrase can either be stored as plaintext in the Passphrase parameter or secured using the user-specified callback function. However, if the callback function is used, then the plaintext passphrase stored in the Passphrase parameter is ignored. For more information, refer to "Securing Passphrase".
Passphrase	no default		Refers to the passphrase associated with the private key. The passphrase associated with the private key specified in the `Key_File` parameter. If a callback is registered (using the I_C_SetPassPhraseCallback() function call prior to I_C_OpenSession()), the value of the Passphrase parameter is ignored. If you don't provide this passphrase, the client attempts to read the passphrase from standard input; this causes the application to hang. Note: The properties file is NOT encrypted. Make sure that this file resides in a secure directory and has appropriate permissions so that it is readable only by the appropriate application or user. Note: For `Microsoft_Cert_Store` or `EToken`, this parameter can be left blank.
Verify_SSL_Certificate	no	yes	Directs the CADP for C to verify the IP address (IPv4 or IPv6) or hostname against the subject Common Name (CN) or the Subject Alternative Name (SAN) in the server certificate presented by CipherTrust Manager during authentication. SSL must be configured to use this feature. Valid values: • yes - Enables the feature. The server certificate must include either the hostname or the IP address in the CN or SAN field. If the hostname is used, the hostname must be reachable by the client. • no - Disables the feature.
Cipher_Spec	No default		Specifies which SSL/TLS protocol and encryption algorithms to use. Multiple cipher strings can be separated by colons. For example, the value `TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCMSHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128- SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA` specifies TLS 1.2 and TLS 1.3 high strength ciphers. Here, TLS 1.2 ciphers are - `ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA` AND TLS 1.3 ciphers are - `TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256`. If TLS 1.3 cipher is not provided then the ciphers - `TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256` gets enabled by default. So to use TLS 1.2, you can disable TLS 1.3 protocol at CM. Refer to Modify TLS version of an interface. Note: The default entry is commented out in the properties file; this is because this parameter is compiled into the client library. You should modify this parameter only if you prefer to use some other combination of algorithms and protocols. Modifying this parameter overrides the value in the library. It is recommended to use TLS ciphers offered by the CipherTrust Manager appliance. If you specify some value other than the default, you must use ECDHE for key exchange.
Syslog_CA			CA certificate that signed the Syslog server certificate presented to client to establish SSL connections. Specify the path and file name of the CA certificate. The path need to be absolute. Don’t use quotes, even if the path contains spaces.
Syslog_Cert			Client certificate present to the Syslog server for client authentication. The certificate must be in the PEM format. Specify the path and filename of the client certificate to be used for authentication. The path need to be absolute. Don’t use quotes, even if the path contains spaces. Client certificates must be PEM encoded. `C:\SSL_Certs\72.162\xyz_CA.crt`
Syslog_Key			Private key associated with the client certificate specified in `Syslog_Cert`. The client private key must be in PEM-encoded format. Specify the path and filename of the key. The path need to be absolute. Don’t use quotes, even if the path contains spaces. The client private key must be in the PEM-encoded format. If this key is encrypted with a passphrase, you must use the `Syslog_Passphrase parameter` so that the client can decrypt it.
Syslog_Passphrase			Passphrase to unlock the client private key specified in `Syslog_Key`. Provide the passphrase associated with the private key file given in `Syslog_Key` property. If your `Syslog_Key` doesn't contain a passphrase, leave this property blank.

PKCS#11

The following table lists the SSL configuration parameters for PKCS#11.

Parameter	Default	Recommended	Description
CA_File	no default		The `CA_File` parameter refers to the CA certificate that was used to sign the server certificate presented by the NAE Server to the client. Possible settings: The path and filename - The path and filename of the CA certificate. The path need to be absolute. Do not use quotes, even if the path contains spaces. For example: `CA_File=C:\SSL_Certs\72.162\xyz_CA.crt`. All CADP for C PKCS#11 appliances in a clustered environment must have an identical configuration. Therefore, same server certificate is used by all servers present in a cluster. As such, you only need to point to one CA certificate in the `CA_File` system parameter. If you do not supply the CA certificate that was used to sign the server certificate used by the CipherTrust Manager appliances, your client applications cannot establish SSL connections with any of the servers in the cluster. If a local CA on the CipherTrust Manager was used to sign the NAE Server certificate, you can download the certificate for the local CA, and put that certificate on the client.
Cert_File	no default		Stores the path and file name of the client certificate. This is used only when your SSL configuration requires clients to provide a client certificate to authenticate to CipherTrust Manager. The `Cert_File` parameter stores the path and filename of the client certificate. This is used only when your SSL configuration requires clients to provide a client certificate to authenticate to the CipherTrust Managers. Possible settings: The path and filename - The path and filename of the client certificate to be used for authentication. The path need to be absolute. Do not use quotes, even if the path contains spaces. Client certificates must be PEM encoded. Note: If the `Cert_File` parameter is set, the certificate and private key must be present, even if the CipherTrust Manager is not configured to request a client certificate.
Key_File	no default		Refers to the private key associated with the client certificate specified in the `Cert_File` parameter. Possible setting: • The path and filename - The path need to be absolute. Do not use quotes, even if the path contains spaces. The client private key must be in PEM-encoded PKCS#8 format. Since this key is encrypted, you must use the Passphrase parameter so that the CADP for C PKCS#11 library can decrypt it. Note: If this value is set, the certificate and private key must be present at the specified path, even if the CipherTrust Manager is not configured to request a client certificate.
Passphrase_Encrypted	no	yes	Allows you to enable/disable passphrase obfuscation. Possible settings: • yes - The passphrase obfuscation is enabled. The passphrase can be obfuscated by using the command line utility (PassPhraseSecure) and stored in the `Passphrase` parameter. • no - The Disables the passphrase obfuscation. In this case, the passphrase can either be stored as plaintext in the Passphrase parameter or secured using the user-specified callback function. However, if the callback function is used, then the plaintext passphrase stored in the Passphrase parameter is ignored. For more information, refer to "Securing Passphrase".
Passphrase	no default		Refers to the passphrase associated with the private key. The passphrase must be associated with the private key named in `Key_File`. Note: If the passphrase is not associated with the private key, the client attempts to read the passphrase from standard input; this causes the application to hang.
Cipher_Spec	No default		Specifies which SSL/TLS protocol and encryption algorithms to use. Multiple cipher strings can be separated by colons. For example, the value `TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCMSHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128- SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA` specifies TLS 1.2 and TLS 1.3 high strength ciphers. Here, TLS 1.2 ciphers are - `ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA` AND TLS 1.3 ciphers are - `TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256`. If TLS 1.3 cipher is not provided then the ciphers - `TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256` gets enabled by default. So to use TLS 1.2, you can disable TLS 1.3 protocol at CM. Refer to Modify TLS version of an interface. Note: The default entry is commented out in the properties file; this is because this parameter is compiled into the client library. You should modify this parameter only if you prefer to use some other combination of algorithms and protocols. Modifying this parameter overrides the value in the library. It is recommended to use TLS ciphers offered by the CipherTrust Manager appliance. If you specify some value other than the default, you must use ECDHE for key exchange.