Common Connector SSL Settings
The following sections provide descriptions and examples of common connector SSL settings.
Additional Allowed Hosts
Subject DN Validation
OCSP Revocation Checking
CRL Revocation Checking
Enabled TLS/SSL Protocols
Enabled TLS/SSL Cipher Suites
Additional Allowed Hosts
Additional Allowed Hosts
is an optional feature that lets you specify extra host names to be verified alongside the primary host name set in the
Remote Address
field.
Subject DN Validation
OCSP Revocation Checking
CRL Revocation Checking
Enabled TLS/SSL Protocols
Enabled TLS/SSL Cipher Suites
Recommendations
Explore
Common Connector SSL Settings
SSL Manager User Guide
Apply Destination Connector SSL Settings
On the Channels page, double-click a channel in the Channel list. Select the Destinations tab. In the Connector Type field, select the connector type that supports the SSL Manager (HTTP Sender, Web Service Sender, File Writer in FTP mode). In the SSL Settings section, the SSL Manager is inactive. If you populate the URL field in the HTTP Sender Settings section, the field turns yellow with a Lock icon next to the URL. If you move the pointer over the Lock icon, a tool tip appears that explains the reason for the situation. (Selecting the Lock icon opens a window with the same content as the tool tip.) Adding a URL while the Manager is Inactive In the SSL Settings section - Use SSL Manager field, select Yes to nullify the locked condition and enable all security options and two-way authentication. (The URL field turns green to reflect the change.) Enabling SSL Manager Select the wrench icon to open the SSL Settings window: Items on the SSL Settings Window Item Name Default Value Descrip
SSL Manager User Guide
Apply Source Connector SSL Settings
On the Channels page, double-click a channel in the Channel list. Select the Source tab. In the Connector Type field, select the connector type that supports the SSL Manager (for example, HTTP Listener, Web Service Listener, File Reader in FTP mode). In the SSL Settings section - Enable field, select Yes. Enabling SSL Settings Select the wrench icon to open the SSL Settings window: Items on the SSL Settings Window Item Name Default Value Description A My Server Certificate None Select the local certificate used to identify this listener connector. For additional information, see My Server Certificate B Client Authentication Disabled Disabled: No client authentication is requested. Request: Client certificate is requested but not required. If the client presents a certificate it will be used for extra security. Require: Client certificate is required. If the client does not present a certificate, the handshake will fail. C Client Certificate Validation Enabled If enabled, only the certi
SSL Manager User Guide
Settings
Certificate DN Regex (optional) settings Validation Errors Select the type of errors you want this alert to trigger on. Expired: Triggers when a certificate has expired or is about to expire. If this option is checked, the Cert Expiration Settings below will be used. Revoked by CRL: Triggers when a channel/connector has CRL Revocation Checking enabled and encounters a certificate that has been revoked according to the CRL. Revoked be OCSP: Triggers when a channel/connector has OCSP Revocation Checking enabled and encounters a certificate that has been revoked according to the OCSP provider. DN Rejected: Triggers when a channel/connector has Subject DN Validation enabled and encounters a certificate that has been rejected due to an incorrect Subject DN. Cert Expiration Settings These settings are used when the Expired error type is enabled. Time Until Expiration: The amount of time (for example, 7d) before a certificate expires to trigger the alert. Only valid down to a minute-level pre
SSL Manager User Guide
OCSP Revocation Checking
If enabled, Online Certificate Server Protocol (OCSP) will be used to check all local and remote certificates. The issuer of the response certificate must be trusted as well in order to verify signatures. OCSP Enabled option on the SSL Settings window Select the wrench icon to open the OCSP Settings window: OCSP Settings window with OCSP Responder URI field and Hard Fail option OCSP Responder URI: This setting is optional. If specified, this responder URI will be used in addition to any certificate Authority Information Access extensions when checking for OCSP revocation. Only HTTP URIs are supported. Hard Fail: When enabled, this connector will depend on the remote OCSP provider. If an OCSP response cannot be retrieved or verified for any reason, all connections will fail revocation checks. Use this option if you need very strict OCSP security settings, at the cost of being dependent on the reliability of the public OCSP server. Parent topic: Common Connector SSL Settings
SSL Manager User Guide
Subject DN Validation
If enabled, only client certificates with subject distinguished names (DNs) matching the given list will be allowed. If a client certificate not matching any of the trusted DNs is presented, the SSL connection / handshake will fail. Subject DN Validation option on the SSL Settings window Select the wrench icon to open the Trusted Subject DNs window: Set Trusted Certificate Subject DNs window Select the New / Delete buttons to add or remove entries. For each Trusted Subject DN entry, configure the following: Distinguished Name: The full or partial distinguished name (DN) to trust. This will be matched against the Subject DN of the remote certificate. Full Match: If enabled, all components (RDNs) configured here must match the ones in the certificate, and the subject DN cannot have any additional components. If disabled, the components configured here will only be considered a required subset, and the subject DN may have additional components. Example 1 Example 2 Example 3 Parent topic:
SSL Manager User Guide
CRL Revocation Checking
If enabled, Certificate Revocation List (CRL) checking will be done on all local and remote certificates. The issuer of the CRL must be included in your trusted certificates as well in order to verify signatures. CRL Enabled option on the SSL Settings window Select the wrench icon to open the CRL Settings window: CRL Settings window with CRL URI field and Hard Fail option CRL URI: This setting is optional. If specified, this URI will be used in addition to any certificate CRL Distribution Points when checking for revocation. HTTP, File FTP, or LDAP URIs are supported. Hard Fail: When enabled, this connector will depend on the remote CRL provider. If a CRL cannot be downloaded or verified for any reason, all connections will fail revocation checks. Parent topic: Common Connector SSL Settings
