Frequently Asked Questions

TLS configuration

Question: What is the default mode for TLS configuration?

Answer: Self-signed.

Question: What is the minimum TLS version supported?

Answer: TLS 1.2 is the minimum supported version.

Question: What are the supported Cipher Suites for the P2PE service?

Answer: The P2PE service supported the following Cipher Suites:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1

Question: How is the TLS configuration handled in the case of multiple service instances?

Answer: You can run multiple instances of the service as long as these instance share a common HSM service partition. The TLS configuration provided via a mounted volume and is shared among these service instances. Security of certificates and files on mounted volumes are the responsibility of the customer.

Question: Do you require client authentication to use the P2PE service.

Answer: The P2PE service optionally supports mutual authentication which can be enabled or disabled. The mutual authentication setting is defined in the TLS configuration file.

Question: How will customer support root and intermediate CA certs for client authentication?

Answer: Customer will manage CA Trust store file and import root and intermediate CA certs to that file. The file must be place in mounted volume along with the TLS configuration.

Question: What is the minimum key strength required for TLS?

Answer: A 2048-bit RSA key will be used to secure TLS connections. No restriction for CA key length.