SecureTransport advanced SSL settings

This pages describes the following SSL protocol feature support:

  • Advanced SSL Settings - SecureTransport 5.4 Patch 7 and higher.
  • SSL Legacy Mode on PeSIT Transfer Sites - SecureTransport 5.4 Patch 25 and higher.

Using Advanced SSL Settings

When defining a Transfer Site in SecureTransport, you can select Transfer Site > Show Advanced SSL Settings.

The following tables lists the protocol-specific Advanced SSL Settings:

Communication profile type Available fields
PeSIT client or server Cipher suites, Enabled SSL protocols
FTP client Cipher suites, Enabled SSL protocols
HTTP client Cipher suites, Enabled SSL protocols
SFTP client (SSH) Cipher suites, Allowed MACs, Key exchange algorithms, Public keys

Example

In this example, the default public keys in the Advanced SSL Settings for a Transfer Site using SSH as the transfer protocol are: ssh-rsa,ssh-dss,x509v3-sign-rsa,x509v3-sign-rsa-sha1.

View settings in the Central Governance Core Services

When SecureTransport registers with Central Governance, the supported default Advanced SSL Settings are retrieved from SecureTransport and recorded in the Core Services logs. To view these settings, use the Message filter along with the [Product_name][AdvancedSecuritySettings][Protocol], where [Protocol] is FTP, HTTP, PeSIT or SFTP.

[st540][AdvancedSecuritySettings][FTP] – Default values for protocols: None.

[st540][AdvancedSecuritySettings][FTP] – Default values for cipher suites: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV.

The Advanced SSL Settings values are deployed each time an SSL Transfer Site is created or modified by a flow deployment. You can use the POST and PUT REST API commands on SecureTransport communication profiles to customize the supported Advanced SSL Settings for a Transfer Site. For more information, see Manage SecureTransport's advanced SSL settings.

The default Advanced SSL Settings for a communication profile do not display in the UI flow. If you modify the default Advanced SSL Settings values, however, the fields then display in the UI.

Using SSL Legacy Mode

This section describes how to use the SSL Legacy Mode in a Transfer Site definition for communication with a partner (available when using TLS/SSL).

On SecureTransport

To enable, set Transfer Settings > Use TLS/SSL > Enable SSL Legacy Mode.

On Central Governance

When SecureTransport is the client

When SecureTransport is the client and a partner is the server, in the flow's Protocol definition set the Enable Legacy Secured Socket Mode field in the client communication profile, where:

  • Yes: Enables the Enable SSL Legacy Mode field on the Transfer Site
  • No (default): Disables the Enable SSL Legacy Mode field on the Transfer Site

When SecureTransport is the server

When the partner is client and the SecureTransport is server in a flow, from the SecureTransport configuration page, set the Secured Socket Mode field in the server communication profile as follows:

Central Governance server communication profile setting for Secured Socket Mode

Central Governance setting Network protocol is TCP Network protocol is pTCP
Legacy Enable PeSIT over Secured Socket (Legacy) N/A
Non Legacy (Default) Enable PeSIT over Secured Socket Enable PeSIT over a pTCP Secured Socket
Autodetect Enable PeSIT over Secured Socket (Legacy and Compatible) N/A

 

Central Governance | Document Directory

Related Links