- Certificate Password
- If the certificate is locked with a password, specify it here. If multiple certificates are used, separate them with two colons
'::'.
- Client Authentication
-
- Accept all clients
- Allow all clients to communicate with the server without being checked for an SSL certificate.
- Request client certificate, and verify if present
- Requests the client for a certificate, and to verify the returned certificate. If the client does not return a certificate,
communication continues between the client and server. If a certificate is returned and it fails to verify, communication
stops.
Note: If you select this, you must specify the CA root certificates file.
- Require client certificate, and verify
- Always require a client certificate and to verify it. This ensures that the client is trusted. If a certificate is not returned
or it cannot be verified, communication between the client and server is stopped.
Note: If you select this, you must specify the CA root certificates file.
- Client CA Root Certificates File
- If you require clients to have certificates, this file must contain the trusted root certificates.
Note: Enterprise Developer supports DER, CER, PKCS #7, PKCS #8, PKCS #12 and PEM certificate file formats and PKCS #8, PKCS #12
and PEM for key file formats.
- Honor Server Cipher List
- By default, the
TLS honor server cipher list is checked. This forces clients to use the protocols and cipher suites specified in order of their priority.
Note: If the
TLS protocols and
Cipher suites list are not specified then it uses the default. See
Configuring a TLS Protocols List and
Configuring a Cipher Suites List for more information.
- Protocols
- The list of TLS protocols to be used, in order of precedence. Each specified protocol is preceded by one of the following
operators:
- !
- Exclude. Permanently exclude the protocol and ignore any subsequent attempt to add the protocol back in.
- +
- Add. Add the protocol to the existing collection.
- -
- Delete. Delete the protocol from the existing collection.
For example, to only use TLS1.1 and TLS1.2, type
-ALL+TLS1.1+TLS1.2
Note: The
Protocols field now supports TLS1.3.
- Cipher Suites
- Specifies the priority of cipher suites to be used. The cipher suite priority is formed using a combination of keywords and
keyword modifiers for a space-separated string:
- !
- Exclude. Permanently exclude the cipher suite and ignore any subsequent attempt to add the cipher suite back in.
- +
- Add. Add the cipher suite to the end of the collection.
- -
- Delete. Delete the cipher suite from the existing collection.
By default, the following cipher suite list is used:
kEECDH+ECDSA kEECDH kEDH HIGH MEDIUM +3DES +SHA !RC4 !aNULL !eNULL !LOW !MD5 !EXP
To determine the cipher suites supported by your version of OpenSSL, type the following from a command prompt:
openssl ciphers -v 'ALL:COMPLEMENTOFALL'
- TLS1.3 Cipher Suites
- The list of cipher suites to be used with TLS1.3 separated by a colon ':'. For example:
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
- Diffie-Hellman Minimum Group Size
- Specifies the size in bits of the modulus length of the Diffie-Hellman group:
- Default
- 512 bit
- 1024 bit
- 2048 bit
- 4096 bit
Note: Micro Focus recommends a minimum modulus size of 2048 bits.
- Key Exchange Cipher Groups
- The key exchange cipher groups to be used, separated by semicolons ';'. For example:
secp521r1;secp384r1;prime256v1;secp256k1;secp224r1;secp224k1;prime192v1
- TLS1.3 Middlebox Compatibility
- Enable workaround for TLS1.3 on networks with incompatible middleboxes, for example, routers and firewalls. Disabling this
can improve performance on compatible networks but might result in dropped connections otherwise.
- .NET Admin Host
- The endpoint that
ESCWA will communicate with for ES for .NET. This should point to a ES for .NET Admin Server. This administers, monitors, and controls
managed regions.