Configuration of QOP for individual hosts and networks

The ssl-qop-mgmt = yes stanza entry also enables any settings that appear in the [ssl-qop-mgmt-hosts] and [ssl-qop-mgmt-networks] stanzas. These stanzas allow quality of protection management by specific host/network/netmask IP address.

The [ssl-qop-mgmt-hosts] and [ssl-qop-mgmt-networks] stanzas are provided for compatibility with prior versions of WebSEAL only. It is recommended that you not use them for Security Verify Access configuration. Additionally, Internet Protocol version 6 (IPv6) addresses are not supported by these stanzas.

The [ssl-qop-mgmt-default] stanza lists the ciphers used for all IP addresses not matched in the [ssl-qop-mgmt-hosts] and [ssl-qop-mgmt-networks] stanzas.

Example configuration syntax for hosts:

[ssl-qop-mgmt-hosts]
xxx.xxx.xxx.xxx = ALL
yyy.yyy.yyy.yyy = RC2-128

Example configuration syntax for network/netmask:

[ssl-qop-mgmt-networks]
xxx.xxx.xxx.xxx/255.255.255.0 = RC4-128
yyy.yyy.yyy.yyy/255.255.0.0 = DES-56

Note the entry for an IP address specified under [ssl-qop-mgmt-hosts] takes priority over an entry for the same address in [ssl-qop-mgmt-networks]. Likewise, an entry in [ssl-qop-mgmt-networks] takes priority over an entry for the same address in [ssl-qop-mgmt-default].

If you must use [ssl-qop-mgmt-hosts] or [ssl-qop-mgmt-networks] for compatibility concerns, review the IP address settings under all stanzas to ensure that a specific IP address is not listed under more than one stanza. If an IP address is listed under more than one stanza, ensure the order of evaluation yields the desired configuration.

Parent topic: Configuring quality of protection levels