Enables you to configure the protocol, endpoint, and TLS settings for the server running the Enterprise Server Common Web
Administration service.
- Protocol
- Protocol used to connect to endpoint.
- Hostname or IP Address
- The hostname or IP address used by the listener to accept incoming client requests. The IP address can be either IPv4 or IPv6.
Note: You must restart the
ESCWA service if you modify this field.
Specifying 0.0.0.0 binds on all available IPv4 addresses. Specifying :: binds on all available IPv6 addresses. Specifying
* binds on all available IPv4 and IPv6 addresses.
- Port
- This must be a valid port or an asterisk * which indicates that the address is dynamically assigned for the listener when
it starts.
- Enable TLS
- Indicates whether or not the ESCWA server has Transport Layer Security (TLS). This will secure communications between the
client and ESCWA.
- Certificate File
- Location, on disk, of the certificate. If multiple certificates are used, separate the paths with a semicolon ';'.
- Keyfile
- Location, on disk, of the keyfile. If multiple keyfiles are used, separate the paths with a semicolon ';'
- Keyfile Password
- The password for the keyfile is specified here. If multiple keyfiles are used, separate the passwords with four colons '::::'.
Advanced
- Certificate Password
- If the certificate is locked with a password, specify it here. If multiple certificates are used, separate them with two colons
'::'.
- Client Authentication
-
- Accept all clients
- Allow all clients to communicate with the server without being checked for an SSL certificate.
- Request client certificate, and verify if present
- Requests the client for a certificate, and to verify the returned certificate. If the client does not return a certificate,
communication continues between the client and server. If a certificate is returned and it fails to verify, communication
stops.
Note: If you select this, you must specify the CA root certificates file.
- Require client certificate, and verify
- Always require a client certificate and to verify it. This ensures that the client is trusted. If a certificate is not returned
or it cannot be verified, communication between the client and server is stopped.
Note: If you select this, you must specify the CA root certificates file.
- Client CA Root Certificates File
- If you require clients to have certificates, this file must contain the trusted root certificates.
Note: Enterprise Developer supports DER, CER, PKCS #7, PKCS #8, PKCS #12 and PEM certificate file formats and PKCS #8, PKCS #12
and PEM for key file formats.
- Honor Server Cipher List
- By default, the
TLS honor server cipher list is checked. This forces clients to use the protocols and cipher suites specified in order of their priority.
Note: If the
TLS protocols and
Cipher suites list are not specified then it uses the default. See
Configuring a TLS Protocols List and
Configuring a Cipher Suites List for more information.
- Protocols
- The list of TLS protocols to be used, in order of precedence. Each specified protocol is preceded by one of the following
operators:
- !
- Exclude. Permanently exclude the protocol and ignore any subsequent attempt to add the protocol back in.
- +
- Add. Add the protocol to the existing collection.
- -
- Delete. Delete the protocol from the existing collection.
For example, to only use TLS1.1 and TLS1.2, type
-ALL+TLS1.1+TLS1.2
Note: The
Protocols field now supports TLS1.3.
You must use @SECLEVEL=0 for TLS 1.1 and earlier. See
Security Levels for more information.
- Cipher Suites
- Specifies the priority of cipher suites to be used. The cipher suite priority is formed using a combination of keywords and
keyword modifiers for a space-separated string:
- !
- Exclude. Permanently exclude the cipher suite and ignore any subsequent attempt to add the cipher suite back in.
- +
- Add. Add the cipher suite to the end of the collection.
- -
- Delete. Delete the cipher suite from the existing collection.
By default, the following cipher suite list is used:
kEECDH+ECDSA kEECDH kEDH HIGH MEDIUM +3DES +SHA !RC4 !aNULL !eNULL !LOW !MD5 !EXP
To determine the cipher suites supported by your version of OpenSSL, type the following from a command prompt:
openssl ciphers -v 'ALL:COMPLEMENTOFALL'
- TLS1.3 Cipher Suites
- The list of cipher suites to be used with TLS1.3 separated by a colon ':'. For example:
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
- Diffie-Hellman Minimum Group Size
- Specifies the size in bits of the modulus length of the Diffie-Hellman group:
- Default
- 512 bit
- 1024 bit
- 2048 bit
- 4096 bit
Note: Micro Focus recommends a minimum modulus size of 2048 bits.
- Key Exchange Cipher Groups
- The key exchange cipher groups to be used, separated by semicolons ';'. For example:
secp521r1;secp384r1;prime256v1;secp256k1;secp224r1;secp224k1;prime192v1
- TLS1.3 Middlebox Compatibility
- Enable workaround for TLS1.3 on networks with incompatible middleboxes, for example, routers and firewalls. Disabling this
can improve performance on compatible networks but might result in dropped connections otherwise.
- .NET Admin Host
- The endpoint that
ESCWA will communicate with for ES for .NET. This should point to a ES for .NET Admin Server. This administers, monitors, and controls
managed regions.
- External Communications Response Timeout
- Specify, in seconds, how long ESCWA will wait for an external communications response before timing out. This timeout is used
to communicate with the Communications Process, Web Services, J2EE Listener, ES for .NET, and MFA. Actual timeout might be
a few seconds longer than specified.
- Default Locale
- Use this to specify the default locale of the
ESCWA interface. If set to
Browser Determined the user's browser locale will be used.
See
Security Levels for more information.