Home
Administering
This section describes how to plan for, install, configure, operate, and manage the SafeLinx Server.
Security
HCL SafeLinx includes a range of options for configuring the security of your network, applications, and data.
Authentication Between the Mobile Access Service and SafeLinx Clients
SafeLinx Clients must authenticate with the mobile access service before they can establish an encrypted connection.

Administering
This section describes how to plan for, install, configure, operate, and manage the SafeLinx Server.
- Overview
  HCL SafeLinx uses standards-based protocols to enable secure access from mobile computing devices outside the firewall to business applications and data on your organization's internal network.
- Security
  HCL SafeLinx includes a range of options for configuring the security of your network, applications, and data.
  - Using IPSec
    You can configure the operating system to use IPSec to secure data transmitted between the SafeLinx Server and remote servers or among cluster nodes.
  - Security Options
    You can configure SafeLinx to use several different security mechanisms to protect network resources.
  - Authentication and Encryption
    A managed set of public key certificates that are issued by a certificate authority is required to enable TLS communications.
  - Authentication Between the Mobile Access Service and SafeLinx Clients
    SafeLinx Clients must authenticate with the mobile access service before they can establish an encrypted connection.
  - Encryption Between the Mobile Access Service and SafeLinx Clients
    You can modify the type of encryption that is used to transmit data between SafeLinx Clients and the mobile access service.
  - Third-Party Authentication to the SafeLinx Server
    You can configure authentication profiles to enable third-party authentication to the SafeLinx Server.
  - Two-factor authentication
    For a tutorial providing an example of how to set up HCL SafeLinx 1.2 for two-factor authentication, see the article Implementing two-factor authentication with HCL SafeLinx 1.2 on the HCL Customer Support site.
  - Authentication and Encryption Between Messaging Services and Applications that Use Messaging Services and Push APIs
    To ensure secure transmissions with messaging clients, you can configure messaging services to require TLS connections with message processing servers or push initiators.
  - Authentication and Encryption Among Cluster Managers
    To secure communications among cluster manager, you can require transport layer security (TLS) connections among the nodes in a SafeLinx Server cluster.
  - Admin Access
    Administrators who use the SafeLinx Administrator must authenticate by providing an administrator ID and password.
- Installation planning
  Before you install HCL SafeLinx, verify that you meet the hardware and software requirements, and that the network connections that you want to use are available.
- Roadmaps: Installing and setting up SafeLinx
  The following "roadmap" topics guide you through installing and initially configuring SafeLinx. Refer to the topic that corresponds to your relational database and server operating system.
- Installing and initial configuration
  Initial configuration and installation of HCL SafeLinx varies based on your operating system and relational database.
- Adding a secure login profile
  By default, the SafeLinx Administrator communicates with the access manager over an unencrypted connection. If you want the connection between the SafeLinx Administrator and the access manager to use transport layer security (TLS) protocols, add a secure login profile to the SafeLinx Administrator.
- Adding and configuring resources
  After you complete the installation and initial configuration, continue to prepare the deployment by configuring other network resources.
- Administering
  The SafeLinx Administrator administration client is the primary tool for viewing, adding, configuring, and managing HCL SafeLinx resources. Along with the SafeLinx Administrator, you can use the HCL SafeLinx Monitor to view information about packet flow through the SafeLinx Server. You can also use a set of command line tools to perform common SafeLinx Server tasks.
- Programming reference
  There are several programming considerations of which you might want to take advantage.
- Database schema information
  HCL SafeLinx uses a DB2, Oracle, MySQL, or SQL database to store tables of information about current and past activity of SafeLinx Server sessions. The following tables are created and accessed by using the qualifier name wg for DB2 installations.
- Step by step: Nomad configuration
  Here are step-by-step instructions that serve as an example of how to install and configure HCL SafeLinx for Nomad on MySQL on Linux.

Authentication Between the Mobile Access Service and SafeLinx Clients

SafeLinx Clients must authenticate with the mobile access service before they can establish an encrypted connection.

Mobile access services use a modified Point-to-Point Protocol (PPP) called wireless optimized link protocol (WLP) to authenticate connections with SafeLinx Clients. A connection profile is configured and assigned to the HTTP or TCP MNC through which SafeLinx Clients connect.

You can configure a connection profile to perform key exchanges that use:

Single-party key distribution protocol: The SafeLinx Client is authenticated to the SafeLinx Server by using a password.
Two-party key distribution protocol: The SafeLinx Server and the SafeLinx Clients authenticate the passwords for each other. The SafeLinx Client validates that the Connection Manager has the client password before it sends the password to the SafeLinx Server.
Diffie-Hellman key agreement algorithm: Both the SafeLinx Server and the Mobility Client are given the means to compute the same key.
Note: This choice does not complete authentication.

Some devices have serial numbers that are associated with their hardware, and that can be used for identification. Users who connect by using a SafeLinx Client that is configured for Password key exchange can take advantage of an extra level of security by taking advantage of device identifiers. Not all client operating systems and devices support device identification. If device identification is supported, from the SafeLinx Client, click SafeLinx Client Help > About to view the device identifier. If a user is configured to use device identification, the unique identifier is combined with the password during authentication. For more information about enabling device identification, see Using device identification with SafeLinx Clients

For more information about SafeLinx Client key exchange, see Connection and transport profiles.