Security
The WAAPI client has a number of security features that help to protect the integrity of the data it exchanges with the Web GUI client.
WAAPI provides three ways you can use to protect the data it exchanges with the server:
- Securing the connection to the server
- Password encryption
- Protecting the WAAPI properties file
Secure Connections to the Web GUI server
In place of an unprotected HTTP connection, you can set up a secure connection with the Web GUI server using SSL. You can set up this connection in any of the following ways:
- Server-only authentication without FIPS 140-2
- Server and client authentication without FIPS 140-2
- Server-only authentication with FIPS 140-2
- Server and client authentication with FIPS 140-2
Enabling NIST SP800-131a encyrption
You can configure the Web GUI to support the National Institute of Standards and Technology (NIST) SP800-131a security standard. SP800-131a requires longer key lengths and stronger cryptography than other standards, for example, FIPS 140-2. SP800-131a requires Transport Layer Security (TLS) V1.2.You can run SP800-131a in two modes: transition and strict. Use the transition mode to move gradually towards a strict enforcement of SP800-131a. The transition mode allows the use of weaker keys and algorithms than strict enforcement. The transition mode also allows the use of TLS v1.0 and v1.1. As a consequence, transition mode is useful for upgrading security settings from FIPS 140-2, because you can continue to use existing FIPS 140-2 compliant certificates.
Password encryption
Independently of any secure connection you might use, WAAPI provides the means for encrypting the passwords that it uses. An unprotected HTTP connection can use AES password encryption. When using a secure connection, you can specify AES or FIPS 140-2 encryption. When the connection uses FIPS 140-2, only FIPS 140-2 password encryption is available.
Protecting the WAAPI properties file
The WAAPI properties file (waapi.init) contains a number of sensitive items of data. For example, it often holds the username and password of the administrative user on the server that runs WAAPI requests. It is important that this data is kept away from unauthorized users and is available only to administrators. So you can use the access control mechanisms of the operating system to limit access to the file.