Novell Documentation: Novell iChain 2.2 - Using Strong Cryptography

Using Strong Cryptography

The strong cryptography settings allow the server to be configured to force strong encryption to be used in SSL sessions (as in https). Client mode (when the proxy server initiates the SSL session) and server mode (when the proxy server accepts an SSL session from another machine) can be configured separately. The default is to not force the use of strong cryptography in either mode.

The configuration can be done from the iChain Proxy Server system console using the following commands:

set authentication strongserverenable = (yes/no)

No --- Clients can initiate an SSL session with the proxy server using weak or strong cryptography.

Yes --- Clients must initiate an SSL session with the proxy server using strong cryptography, or the session will fail.

set authentication strongclientenable = (yes/no)

No --- The proxy server will initiate an SSL session with another server using any cryptography that server supports (strong or weak).

Yes --- The proxy server will only initiate an SSL session with another server using strong crypto; if unsupported by the other server, it will fail.

Applying these settings will store them in the ISO object and create a NILE.CFG file. This file is read by NILE.NLM at startup, so the server must be restarted for these settings to take effect.

Cryptography Settings

Weak cryptography --- Encryption is done with key sizes less than 128 bits.
Strong cryptography --- Encryption is done with key sizes of 128 bits or larger.

Configuring Federal Information Processing Standards in iChain

This section discusses the Federal Information Processing Standards (FIPS) option, including how to turn this option on or off, and the cipher options that go with it.

Turning the FIPS Option On/Off

To turn on the FIPS option in iChain, add the following load command line before "load proxy" in the appstart.ncf:

Syntax: load nile {-|/}{F|f}

The following are examples of this syntax:

load nile -Fload nile -fload nile /Fload nile /f

The original appstart.ncf:

. . . . .load dbypassload proxyload caconfig. . . . .

The updated appstart.ncf:

. . . . .load dbypassload nile /F load proxyload caconfig. . . . .

To turn this option off, users can either delte the "load nile /F" line or remove the "/F" option.

After updating the appstart.ncf when turning the option on or off, you need to restart the iChain server for the update to become effective.

Cipher Options For FIPS

iChain supports the following cipher options for FIPS:

A, For server side (from the viewpoint of the browser) SSL_RSA_WITH_DES_CBC_SHA (weak) SSL_RSA_WITH_3DES_EDE_CBC_SHA (strong)B, For client side (from the viewpoint of the Web server) SSL_RSA_WITH_DES_CBC_SHA (weak) SSL_RSA_WITH_3DES_EDE_CBC_SHA (strong)

For information on how to configure weak or strong cryptography, see Using Strong Cryptography.