Question & Answer
Question
How to migrate from TLS Proxy Profile to the appropriate TLS client and TLS server profiles.
Answer
A TLS client profile defines a TLS client with associated identification credentials to support a TLS client connection from the appliance. Identification credentials are in a Crypto Identification Credential configuration. This profile also specifies:
- Server validation options.
- TLS protocol versions to support.
- Ciphers to support.
- Whether to use the SNI extension when connecting.
- Whether to permit connections to insecure TLS servers.
- Whether to require server authentication, and, if so, the credentials to use.
- Session caching options.
- Advanced options for elliptic curve support.
A TLS server profile defines a TLS server with associated identification credentials that the appliance uses to establish a connection with a TLS client. Identification credentials are in a Crypto Identification Credential configuration. This profile also specifies, among others:
- Client validation options.
- TLS protocol versions to support.
- Ciphers to support.
- Whether to request client authentication.
- Session caching options.
- Advanced options that include elliptic curve support, maximum TLS session duration, and maximum number of client initiated renegotiation to allow.
For information regarding the TLS SNI Server Profile, see Datapower TLS SNI Server Profile
The following extension functions now support the specification of a TLS client profile :
- ldap-authen()
- ldap-search()
- ldap-simple-query()
- ocsp-validate-certificate()
- set-target
- soap-call()
- url-open (generic)
- xset-target
Cipher specification
TLS proxy profiles use free-form strings to denote supported ciphers; the default is HIGH:MEDIUM:!aNULL:!eNULL:!RC4:@STRENGTH. On the other hand, TLS client and TLS server profiles provide an explicit enumeration of ciphers to support. This explicit enumeration shows exactly which ciphers are allowable and their order when cipher-negotiation takes place.
Migration
Because the TLS proxy profile is deprecated, these TLS configurations are intended to replace TLS proxy profile configurations depending on the role of the DataPower appliance.
- The TLS client profile replaces the forward TLS proxy profile
- The TLS server and TLS SNI server profiles replace the reverse TLS proxy profile.
Existing configurations that use a TLS proxy profile are not automatically updated nor do they need to be. However, simply create new TLS profiles to replace TLS proxy profiles. For new configurations, although the default TLS Profile type is a TLS proxy profile, select and use the appropriate profile type.
After you test the replacement TLS profile, you can remove the reference to the TLS proxy profile in the configuration and delete the configuration for the TLS proxy profile if it is not in use by other configurations.
- From the CLI, access the configuration and use the no form of command to de-reference the TLS proxy profile.
- From the GUI, access the configuration and perform the following steps.
- Set the TLS profile type to TLS Proxy Profile.
- Change the value of the TLS Proxy Profile to (none).
- Set the TLS profile type back to the appropriate replacement TLS profile type.
[{"Type":"MASTER","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"ARM Category":[{"code":"a8m50000000CdoNAAS","label":"DataPower-\u003ESecurity (SE)-\u003ETLS"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
05 September 2024
UID
swg21699392