Enabling Security for Listen Sockets

You can secure your server’s listen sockets by doing the following:

• Turning the security on

• Selecting a server certificate for the listen socket

• Selecting ciphers

You can enable security only in reverse proxy mode and not in forward proxy mode.

Turning Security On

You must turn security on before you can configure the other security settings for your listen socket. You can turn security on when you create a new listen socket or edit an existing one.

To Turn Security on When Creating Listen Sockets

1. Access either the Administration Server or the Server Manager and click the Preferences tab.

2. Click the Add Listen Socket link.

3. Provide the required information.

   ---

   Note –

   Use the Edit Listen Sockets link to configure the security settings after a listen socket has been created.

   ---

4. To turn security on, select Enabled from the Security drop-down list, and then click OK.

   If a server certificate has not been installed, your only choice will be Disabled. For more information about specific settings, see the online Help.

To Turn Security on When Editing Listen Sockets

1. Access either the Administration Server or the Server Manager and click the Preferences tab.

2. Click the Edit Listen Sockets link.

3. Click the link for the listen socket you want to edit.

4. Select Enabled from the Security drop-down list, and click OK.

   If a server certificate has not been installed, your only choice will be Disabled.

Selecting Server Certificates for Listen Sockets

You can configure listen sockets in either the Administration Server or the Server Manager to use server certificates you have requested and installed.

At least one certificate must be installed.

To Select a Server Certificate for a Listen Socket

1. Access either the Administration Server or the Server Manager and click the Preferences tab.

2. Click the Edit Listen Sockets link.

3. Click the link for the listen socket you want to edit.

4. Select Enabled from the Security drop-down list, and click OK.

   If a server certificate has not been installed, your only choice will be Disabled.

5. Select a server certificate from the drop-down Server Certificate Name list for the listen socket, and then click OK.

Selecting Ciphers

To protect the security of the Proxy Server, you should enable SSL. You can enable the SSL 2.0, SSL 3.0, and TLS encryption protocols and select the various cipher suites. The SSL and TLS protocols can be enabled on the listen socket for the Administration Server. Enabling SSL and TLS on a listen socket for the Server Manager sets those security preferences for specific server instances. At least one certificate must be installed.

Enabling SSL on a listen socket applies only when the Proxy Server is configured to perform reverse proxying.

The default settings allow the most commonly used ciphers. Unless you have a compelling reason for not using a specific cipher suite, you should select them all.

The default and recommended setting for TLS Rollback is Enabled. This setting configures the server to detect “man-in-the-middle version rollback” attack attempts. Setting TLS Rollback to Disabled might be required for interoperability with some clients that incorrectly implement the TLS specification.

Disabling TLS Rollback leaves connections vulnerable to version rollback attacks. Version rollback attacks are a mechanism by which a third party can force a client and server to communicate using an older, less secure protocol such as SSL 2.0. Because SSL 2.0 protocol has known deficiencies, failing to detect “version rollback” attack attempts makes intercepting and decrypting encrypted connections easier for a third party.

To Enable SSL and TLS

1. Access either the Administration Server or the Server Manager and click the Preferences tab.

2. Click the Edit Listen Sockets link, and then click the link for the listen socket you want to edit.

   For a secure listen socket, the available cipher settings are displayed.

   If security is not enabled on the listen socket, no SSL and TLS information is listed. To work with ciphers, ensure that security is enabled on the selected listen socket. For more information, see Enabling Security for Listen Sockets.

3. Select the checkboxes corresponding to the required encryption settings and click OK.

4. Select both TLS and SSL 3.0 for Netscape Navigator 6.0. For TLS Rollback also select TLS, and make sure both SSL 3.0 and SSL 2.0 are disabled.

   Once SSL has been enabled on a server, its URLs use https instead of http. URLs that point to documents on an SSL-enabled server are formatted as : https://servername.domain.dom:port, for example, https://admin.example.com:443

   If you use the default secure HTTP port (443), you do not need to enter the port number in the URL.