WebSEAL Configuration

As part of the FAPI conformance, the IBM Security Verify Access appliance supports Mutual TLS-based client authentication (MTLS) for confidential client authentication

About this task

To achieve FAPI MTLS on IBM Security Verify Access, perform the following tasks:
Disable TLS 1.0/1.1
As part of FAPI requirement, the appliance strictly disallows TLS 1.0/1.1 connections. See Step 1: Disable TLS 1.0/1.1
Only Allow Secure Cipher Suites
To ensure that IBM® Security Verify Access uses only FAPI specification-compliant SSL version and ciphers for TLS Connection, see Step 2: Allow Secure Cipher Suites.

Procedure

  1. To disable TLS 1.0/1.1, configure the WebSEAL configuration file by setting "disable-tls-v1" and "disable-tls-v11" to "yes".
    1. In the Appliance Dashboard, select Web > Manage > Reverse Proxy.
    2. Select the reverse proxy instance name and select Manage > Configuration > Edit Configuration File.
    3. In the configuration file, set disable-tls-v1 and disable-tls-v11 under "yes".
  2. To only allow secure cipher suites:
    1. In the appliance dashboard, select Web > Manage > Reverse Proxy.
    2. Select the reverse proxy instance name.
    3. Select Manage > Configuration > Edit Configuration File.
    4. In the configuration file under [ssl]. disable tlsv11 and earlier:
      • disable-tls-v1 = yes
      • disable-tls-v11 = yes
    5. In the configuration file under [ssl-qop-mgmt-default], set default ciphers to:
      • default = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
      • default = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      • default = TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
      • default = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    6. In order for the appliance to use the DHE ciphers set in the previous step, a platform level flag must be set. This can be done with by setting gsk-attr-name = enum:4009:1 under [ssl].