Configure quality of protection levels

We can control the default level of encryption required for access to WebSEAL over SSL (HTTPS) by configuring the quality of protection (QOP). Default quality of protection management is controlled using stanza entries in the "SSL QUALITY OF PROTECTION MANAGEMENT" section of the WebSEAL configuration file:

• Enable and disable QOP management with the ssl-qop-mgmt stanza entry.
• Specify allowed encryption levels in the [ssl-qop-mgmt-default] stanza.

Steps:

1. Enable quality of protection management:
   [ssl-qop]
   ssl-qop-mgmt = yes

2. Default encryption level for HTTPS access. The syntax is:
   default = {ALL|NONE|cipher_level}

   Supported values for cipher_level are:

   NONE, ALL, NULL, DES-56, FIPS-DES-56, DES-168, FIPS-DES-168, RC2-40, RC2-128, RC4-40, RC4-56, RC4-128, AES-128, AES-256

   The value "NONE" disables encryption.

   For example:

   [ssl-qop-mgmt-default]
   default = ALL

   Note that we can also specify a selected group of ciphers:

   [ssl-qop-mgmt-default]
   default = RC4-128
   default = RC2-128
   default = DES-168

   Notes:

   • NONE means that no SSL connection is allowed.
   • NULL means that unencrypted SSL connection is allowed.
   • ALL means that all types of SSL connections are allowed.
   • There can be multiple cipher/MAC levels made available to the connection for a given quality of protection cipher selection. These configurations will still have the same encryption bit strength, just different MAC methods (SHA1 or MD5)
   • RC2-128 is available only with SSLv2. If it is the only cipher selection, WebSEAL will disable SSLv3 and TLSv1 for the affected connection.
   • NULL, FIPS-DES-56, FIPS-DES-168, RC4-56, AES-128, and AES-256 are available only with SSLv3 and TLSv1. If they are the only ciphers available to a given connection, SSLv2 will be disabled for the affected connection.
   • AES Support is determined automatically by GSKit based on the base-crypto-library setting. AES-128 and AES-256 are available only if AES Support is enabled by GSKit, else they will be ignored.
   • FIPS-DES-56 and FIPS-DES-168 are available only when fips-mode-processing is enabled (set to yes). Otherwise they are ignored

ISAM uses GSKit 8. The Cipher specifications supported by GSKIT 8 when used in SSLv2/TLS in Internet security are:

SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA

These TLS cipher specifications are also used with SSLV3.

• Configuration of QOP for individual hosts and networks
  

Parent topic: WebSEAL-specific ACL policies