Enabling Security for Listen Sockets

You can secure your server’s listen sockets by doing the following:

• Turning the security on

• Selecting a server certificate for the listen socket

• Selecting ciphers

You can enable security only in reverse proxy mode and not in forward proxy mode.

Turning Security On

You must turn security on before you can configure the other security settings for your listen socket. You can turn security on when you create a new listen socket or edit an existing one.

To turn security on when creating listen sockets

Steps

1. Access either the Administration Server or the Server Manager and click the Preferences tab.

2. Click the Add Listen Socket link.

3. Enter the required information.

   To turn security on, select Enabled from the Security drop-down list, and then click OK. Note that if a server certificate has not been installed, your only choice will be Disabled. For more information about specific settings, see the online Help.

   ---

   Note –

   Use the Edit Listen Sockets link to configure the security settings after a listen socket has been created.

   ---

To turn security on when editing listen sockets

Steps

1. Access either the Administration Server or the Server Manager and click the Preferences tab.

2. Click the Edit Listen Sockets link.

3. Click the link for the listen socket you want to edit.

4. To turn security on, select Enabled from the Security drop-down list, and then click OK.

   Note that if a server certificate has not been installed, your only choice will be Disabled.

Selecting Server Certificates for Listen Sockets

You can configure listen sockets in either the Administration Server or the Server Manager to use server certificates you have requested and installed.

At least one certificate must be installed.

To select a server certificate for a listen socket

Steps

1. Access either the Administration Server or the Server Manager and click the Preferences tab.

2. Click the Edit Listen Sockets link.

3. Click the link for the listen socket you want to edit.

4. To turn security on, select Enabled from the Security drop-down list, and then click OK.

   Note that if a server certificate has not been installed, your only choice will be Disabled.

5. After selecting Enabled and clicking OK, select a server certificate from the drop-down Server Certificate Name list for the listen socket, and then click OK.

Selecting Ciphers

To protect the security of your Proxy Servers, you should enable SSL. You can enable the SSL 2.0, SSL 3.0, and TLS encryption protocols and select the various cipher suites. The SSL and TLS protocols can be enabled on the listen socket for the Administration Server. Enabling SSL and TLS on a listen socket for the Server Manager sets those security preferences for specific server instances. At least one certificate must be installed.

Enabling SSL on a listen socket applies only in a reverse proxy scenario. That is, only when the Proxy Server is configured to perform reverse proxying.

The default settings allow the most commonly used ciphers. Unless you have a compelling reason for not using a specific cipher suite, you should select them all. For more information regarding specific ciphers, see Introduction to SSL.

The default and recommended setting for TLS Rollback is Enabled. This configures the server to detect man-in-the-middle version rollback attack attempts. Setting this to Disabled may be required for interoperability with some clients that incorrectly implement the TLS specification.

Note that disabling TLS Rollback leaves connections vulnerable to version rollback attacks. Version rollback attacks are a mechanism by which a third party can force a client and server to communicate using an older, less secure protocol such as SSL 2.0. Because there are known deficiencies in the SSL 2.0 protocol, failing to detect version rollback attack attempts makes it easier for a third party to intercept and decrypt encrypted connections.

To enable SSL and TLS

Steps

1. Access either the Administration Server or the Server Manager and click the Preferences tab.

2. Click the Edit Listen Sockets link, and then click the link for the listen socket you want to edit.

   For a secure listen socket, the available cipher settings are displayed.

   ---

   Note –

   If security is not enabled on the listen socket, no SSL and TLS information is listed. To work with ciphers, ensure that security is enabled on the selected listen socket. For more information, see Enabling Security for Listen Sockets.

   ---

3. Select the checkboxes corresponding to the required encryption settings and click OK.

   ---

   Note –

   Select both TLS and SSL 3.0 for Netscape Navigator 6.0. For TLS Rollback also select TLS, and make sure both SSL 3.0 and SSL 2.0 are disabled.

   ---

   Once SSL has been enabled on a server, its URLs use https instead of http. URLs that point to documents on an SSL-enabled server have this format:

   https://servername.domain.dom:port

   For example, https://admin.example.com:443.

   If you use the default secure HTTP port (443), you do not need to enter the port number in the URL.