Configure WebSEAL to support only Suite B ciphers
We can configure WebSEAL to use only Suite B ciphers when negotiating an SSL connection.
Suite B is a set of cryptographic standards, protocols, and algorithms the National Security Agency (NSA) developed in 2005. This suite defines security standards for protecting classified information. NSA Suite B includes the Advanced Encryption Standard (AES) and a set of cryptographic algorithms for key exchange, digital signatures, and hashing.
Suite B meets the NSA security standards for classified government communications up to the SECRET level. For information, go to the NSA website and search for Suite B Cryptography.
Use the gsk-attr-name and jct-gsk-attr-name entries to configure WebSEAL support for Suite B ciphers. Set GSKit attribute 454 to the value 1.
The gsk-attr-name configuration entry is available in the [ssl], [dsess-cluster], and [tfim-cluster:<cluster>] stanzas. The [ssl] stanza also includes the jct-gsk-attr-name configuration entry. These stanza entries specify the additional GSKit attributes to use when initializing SSL connections as follows:
- [ssl] stanza
- The gsk-attr-name applies to SSL connections with clients.
- The jct-gsk-attr-name applies to SSL connections with junctioned servers.
- [dsess-cluster] stanza
- The gsk-attr-name applies to SSL connections with the distributed session cache.
- [tfim-cluster:<cluster>]
- The gsk-attr-name applies to SSL connections with the Federation Runtime.
Example
The following entry configures WebSEAL to use only Suite B ciphers for client connections:
[ssl] gsk-attr-name = enum:454:1
Parent topic: Web server security configuration
Related concepts
- Cryptographic hardware for encryption and key storage
- Prevention of vulnerability caused by cross-site scripting
- Prevention of Cross-site Request Forgery (CSRF) attacks
- Suppression of WebSEAL and back-end server identity
- Platform for Privacy Preferences (P3P)
Related tasks