Ssl sections, Ssl options – HP Secure Key Manager User Manual

In this scenario, the client application indicates that it is willing to perform an SSL resume (rather than

a full handshake) by sending a previously negotiated session–id in the CLIENT–HELLO message. The

SKM checks that it has the session key for the given session–id. If so, it acknowledges that it is willing

to resume the session by using the same session–id in the SERVER–HELLO message. Otherwise, the

SKM responds with a new session–id.

SSL Session Timeout

All SSL sessions stored in the SKM’s session cache have an expiration period, typically two hours.

This means the SKM accepts a session resume request for at most two hours after the session is first

established. Consequently, every client application must renegotiate a session–key at least once every

two hours. This limits the amount of information encrypted with a particular session–key. Hence, an

attacker who is able to deduce a session key would only obtain the information exchanged during a

two hour window. The SSL session timeout on the SKM is configured on the SSL Configuration page, as

described later in this chapter.

SSL Certificate Management on the SKM

Certificates are used to authenticate one entity to another. This authentication takes place during the

SSL handshake protocol. Certificates are issued by Certification Authorities (CA’s) such as VeriSign,

Entrust, Thawte, and others. The SKM is equipped with CA capabilities, and can issue certificates for

all your applications.
When establishing an SSL connection with a client, you can require that the client authenticate itself to the

SKM by presenting a certificate. Because the SKM can issue certificates to applications and databases,

there is no need for you to use a public CA such as VeriSign to issue these certificates. You can generate

these certificates on the SKM.
The HP CA is managed on the CA Certificates page. To issue certificates for your applications, you must

first create a local CA on the SKM. This local CA is then used to issue certificates for all your applications.

Local certificates issued by the HP CA are only valid for authenticating to the SKM.

SSL Sections

The SSL Configuration page enables you to manage your SSL settings. This page contains the following

SSL-related sections:

• SSL Options
• SSL Cipher Order

SSL Options

Use this section to view and modify SSL settings. These settings affect the KMS Server’s communication

with client applications and databases when SSL is enabled. These settings also affect all connections to

the web-based Management Console.
By default, applications using SSL 2.0 (an older version of SSL) are not allowed to connect to the KMS

Server. SSL 2.0 is known to have some security vulnerabilities.

NOTE:

FIPS-compliant devices

cannot

use the default SSL configuration. On those devices, you must enable

TLS 1.0 and disable SSL 2.0 and 3.0.

IMPORTANT:

Some web browsers, including Internet Explorer 6.0, do not have TLS 1.0 enabled by default. If you

disable SSL 2.0 and 3.0, please check first that your browser has TLS 1.0 enabled. (In Internet Explorer,

select Internet Options from the Tools menu, click the Advanced tab, scroll down to the Security section,

and make sure the "Use TLS 1.0" checkbox is checked.)

Secure Key Manager

165