When hardening an
Enterprise Server installation, review the following steps. Consult the topics in this document and related ones in your product Help for more
information:
- Disable old TLS protocols
- Disable TLSv1.0 and TLSv1.1.
- Enable only strong cipher suites
- Configure a list of strong cipher suites or set the security level to a high value. Use the
Honor Server Cipher List option.
- Use a proper CA
- Do not use DemoCA in production; use a commercial or organizational CA.
- Generate quality certificates
- Create certificates which conform to industry best practices. For server certificates, include all the appropriate Subject
Alternative Names. Use strong signing algorithms (avoid MD5 and SHA1) and sufficiently-large keys (for example, at least 2048
bits for RSA keys).
- Protect private keys
- Use key-file formats that encrypt the private key, and set restrictive file permissions. Do not share private keys with entities
that do not need them. Determine what method of supplying the keyfile passphrase is most appropriate for your organization.
Note: You can use the
Micro Focus Vault Facility to store a secret for the certificate and keyfile pass phrases. This can be specified in the
mf-server.dat file and takes the following form:
mfsecret:configuration-name:secret-path
or:
mfsecret::secret-path
or:
mfsecret:secret-path