WebSEAL Configuration

As part of the FAPI conformance, the ISAM appliance supports Mutual TLS-based client authentication (MTLS) for confidential client authentication

To achieve FAPI MTLS on IBM Security Verify Access, perform the following tasks:

Steps

  1. To disable TLS 1.0/1.1, configure the WebSEAL configuration file by setting "disable-tls-v1" and "disable-tls-v11" to "yes".

    1. In the Appliance Dashboard, select Web > Manage > Reverse Proxy.

    2. Select the reverse proxy instance name and select Manage > Configuration > Edit Configuration File.

    3. In the configuration file, set disable-tls-v1 and disable-tls-v11 under "yes".

  2. To only allow secure cipher suites:

    1. In the appliance dashboard, select Web > Manage > Reverse Proxy.

    2. Select the reverse proxy instance name.

    3. Select Manage > Configuration > Edit Configuration File.

    4. In the configuration file under [ssl]. disable tlsv11 and earlier:

    5. In the configuration file under [ssl-qop-mgmt-default], set default ciphers to:

      • default = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
      • default = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      • default = TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
      • default = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    6. In order for the appliance to use the DHE ciphers set in the previous step, a platform level flag must be set. This can be done with by setting gsk-attr-name = enum:4009:1 under [ssl].

Parent topic: Achieving Financial-grade API (FAPI) conformance with IBM Security Verify Access