Crypto profile

A crypto profile identifies a collection of SSL resources that support SSL connections with remote peer devices. To configure a crypto profile:

1. From the navigation bar, select OBJECTS→ Crypto Menu → Crypto Profile.

2. On the Crypto Profile Catalog page (Figure 4-1 on page 107), which provides a list of all current crypto profiles, specify the following values:

a. For Identification Credentials, optionally from the list, select the Identification Credentials Set that is assigned to this crypto profile.

The Identification Credentials Set provides the public key infrastructure (PKI) certificate or key pair that is used to authenticate the device during the SSL handshake. Retain the default value (none) if are not assigning an Identification Credentials Set to the crypto profile. Click the + and … buttons to create a new Identification Credentials Set or to edit an Identification Credentials Set.

In this crypto profile, we use the name itsoIDCred.

b. For Validation credentials, optionally from the list, select the Validation Credentials List that is assigned to this crypto profile. In our crypto profile, we used itsovalid.

c. For Ciphers, identify the symmetric key encryption algorithms that are supported by this crypto profile. Refer to the DataPower reference documentation listed in “Other publications” on page 185 for more information.

d. For Options, select the appropriate check box to disable support for SSL versions and variants. By default, SSL Versions 2 and 3 are supported, along with Transaction Level Security (TLS) Version 1.

e. For Send Client CA List, select On to enable transmission of a Client CA List during the SSL handshake. The default is Off, which disables transmission of a Client CA List.

Reverse SSL proxy: Assignment of a Validation Credentials List is only meaningful

when the crypto profile supports a reverse (or server) SSL proxy. The assignment of a Validation Credentials List to a reverse SSL proxy forces the proxy to require a certificate from all requesting clients.

Figure 4-1 Configuration of the crypto profile

Crypto Identification Credentials

A Crypto Identification Credentials set consists of a Crypto Key object and a Crypto Certificate object. An identification credentials set identifies the matched public key cryptography public and private keys that are used by an entity for SSL authentication. An identification credentials set may also be used in document encryption, document decryption, and digital signature operations as shown in the following example:

1. From the navigation bar, select OBJECTS→ Crypto → Crypto Identification

Credentials. The Crypto catalog (Figure 4-2) lists all current identification credentials

sets.

2. Click Add.

3. On the Configure Crypto Identification Credentials page (Figure 4-3), specify the following values:

a. For Crypto Key, from the list, select the Crypto Key object that is used by this

identification credentials set. You can click the + and … buttons to create a new Crypto Key object or to edit a Crypto Key object.

b. For Certificate, from the list, select the Crypto Certificate object that is used by this identification credentials set. You can click the + and … buttons to create a new Crypto Certificate object or to edit a Crypto Certificate object.

c. For Intermediate CA Certificate, if necessary, click the Delete and Add buttons, in conjunction with a list of available Crypto Certificate objects, to establish a verifiable trust chain that consists of one or more Certification Authority (CA) certificates. The trust chain provides a linked path from the certificate that is contained in the Identification Credentials Set to a CA that is trusted by a remote device, thus enabling the device to authenticate the certificate.

Intermediate CA certificates might be necessary when the CA that is signing this certificate is not widely-recognized. If the intermediate CA certificate is also signed by a less recognized CA, an additional intermediate CA certificate might be required for that CA. You can specify as many intermediate certificates as may be required.

Crypto Validation Credentials

A Crypto Validation Credentials list consists of a list of Crypto Certificate objects. Validation credentials lists are used to validate the authenticity of received certificates and digital signatures. From the navigation bar, select OBJECTS→ Crypto → Crypto Validation

Credentials. The Crypto catalog provides a list of all current validation credentials.

HTTPS Front Side Handler

After you create a crypto profile, you must create an HTTPS (SSL) Front Side Handler to handle HTTPS protocol communications with multiprotocol gateway clients. To configure the HTTPS Front Side Handler:

1. From the navigation bar, select OBJECTS→ Protocol Handlers → HTTPS Front Side

Handler. On the HTTPS (SSL) Front Side Handler catalog, you see a list of all current

HTTPS Front Side Handlers. 2. Click Add.

3. On the HTTPS (SSL) Front Side Handler Configuration page (Figure 4-4), complete the following steps:

a. Accept the defaults for all parameters, except for SSL Proxy, for which you must create a new SSL proxy object.

b. For Port Number, enter the port that you want this front-side handler to run.

c. For Local IP Address, specify the address on which the service listens. The default of 0.0.0.0 indicates that the service is active on all addresses. Click Select Alias to use an alias for this value. Local host aliases help to ease migration tasks between machines.

d. Click Apply to write HTTPS Front Side Handler properties to the running configuration. You return to the HTTPS (SSL) Front Side Handler Catalog (Figure 4-4 on page 109), which now lists the newly configured front side handler.

4. Click Save Config to save the HTTPS Front Side Handler properties to the persistent startup configuration.