WebSEAL Configuration
As part of the FAPI conformance, the ISAM appliance supports Mutual TLS-based client authentication (MTLS) for confidential client authentication
To achieve FAPI MTLS on IBM Security Verify Access, perform the following tasks:
- Disable TLS 1.0/1.1
- As part of FAPI requirement, the appliance strictly disallows TLS 1.0/1.1 connections. See Step 1: Disable TLS 1.0/1.1
- Only Allow Secure Cipher Suites
- To ensure that IBM Security Verify Access uses only FAPI specification-compliant SSL version and ciphers for TLS Connection, see Step 2: Allow Secure Cipher Suites.
Steps
- To disable TLS 1.0/1.1, configure the WebSEAL configuration file by setting "disable-tls-v1" and "disable-tls-v11" to "yes".
- In the Appliance Dashboard, select Web > Manage > Reverse Proxy.
- Select the reverse proxy instance name and select Manage > Configuration > Edit Configuration File.
- In the configuration file, set disable-tls-v1 and disable-tls-v11 under "yes".
- To only allow secure cipher suites:
- In the appliance dashboard, select Web > Manage > Reverse Proxy.
- Select the reverse proxy instance name.
- Select Manage > Configuration > Edit Configuration File.
- In the configuration file under [ssl]. disable tlsv11 and earlier:
- disable-tls-v1 = yes
- disable-tls-v11 = yes
- In the configuration file under [ssl-qop-mgmt-default], set default ciphers to:
- default = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- default = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- default = TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- default = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- In order for the appliance to use the DHE ciphers set in the previous step, a platform level flag must be set. This can be done with by setting gsk-attr-name = enum:4009:1 under [ssl].
Parent topic: Achieving Financial-grade API (FAPI) conformance with IBM Security Verify Access