Special Considerations
Refer to the following notes before installing the product.
Configuration Considerations
Consider the following when configuring Sterling External Authentication Server:
- The System Settings dialog box allows you to configure the listeners, SSL keystore, and trusted certificates and uses a separate object for each tab. When you click OK, the objects are updated in the following order: Listeners, SSL Keystore, and Trusted Certificates.
- The product uses strong, but limited, cryptography. To use stronger encryption, replace the default jurisdiction policy files with the Unlimited Strength Jurisdiction Policy Files 6.0, available from the JCE provider. See Jurisdiction Policy File Use for more information.
Jurisdiction Policy File Use
TLS and SSL protocols are implemented, both server and GUI components, using the standard Java 6.0 API, Java Secure Socket Extension (JSSE) and default provider package. JSSE, in turn, utilizes the standard Java 6.0 API, Java Cryptography Extension (JCE) to implement the underlying crypto algorithms.
The cipher suites available for use in SSL and TLS connections are determined by the following JCE jurisdiction policy files:
- install_dir/jre/lib/security/local_policy.jar
- install_dir/jre/lib/security/US_export_policy.jar
where install_dir is the location of the installation.
The jurisdiction policy files shipped with Sterling External Authentication Server enable strong, but limited, cryptography. If you need to use stronger encryption, US customers and those in other eligible countries can replace the default jurisdiction policy files with the Unlimited Strength Jurisdiction Policy Files 6.0, available from the JCE provider.
To replace the default jurisdiction policy files:
- Go to the main Security page for IBM®'s Java 6 at http://www.ibm.com/developerworks/java/jdk/security/60.
- Scroll down the page and click the IBM SDK Policy files link.
- Provide your IBM ID.
- Copy the unlimited strength jurisdiction policy files to the following
locations:
- install_dir/jre/lib/security/local_policy.jar
- install_dir/jre/lib/security/US_export_policy.jar
where install_dir is the location of the product
Following are the cipher suites available for use by default and by the unlimited jurisdiction policy files:
| Default SSL/TLS Cipher Suites | Cipher Suites Available with Unlimited Strength Jurisdiction Policy Files |
|---|---|
| TLS_RSA_WITH_AES_256_CBC_SHA | |
| TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA |
| TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA |
| TLS_RSA_WITH_RC4_128_SHA | TLS_RSA_WITH_RC4_128_SHA |
| TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_MD5 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA | TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA |
| TLS_DHE_RSA_WITH_DES_CBC_SHA | TLS_DHE_RSA_WITH_DES_CBC_SHA |
| TLS_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_DES_CBC_SHA |
| TLS_RSA_EXPORT_WITH_DES40_CBC_SHA | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA |
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 | TLS_RSA_EXPORT_WITH_RC4_40_MD5 |
| TLS_RSA_WITH_NULL_SHA | TLS_RSA_WITH_NULL_SHA |
| TLS_RSA_WITH_NULL_MD5 | TLS_RSA_WITH_NULL_MD5 |