Security

1. Support for end-to-end security:

For instructions to setup the end to end security, see How to setup end-to-end security in ZIEWeb.

2. TLS Client Authentication:

  • Client authentication is carried out as part of the TLS handshake before the actual data is transmitted in the TLS session.
  • Client presents its certificate to authenticate itself during TLS handshake. This is to determine if the valid client is connecting to the server.
  • It provides additional security to avoid any possible security breach while establishing connection with server.
  • The path to the client certificate is provided while configuring the session properties in Deployment wizard or while establishing connection to the session.

The following options are used to specify the handling of Client Authentication:

  • Send Certificate: Enables Client Authentication.If you click No and the server requests a client certificate, the server is told that no client certificate is available, and the user is not prompted.
  • Enable Key Usage: A key requirement for any solution is that the client be able to automatically recognize and utilize the correct authentication certificate.
  • Key Usage: This button opens popup to display all the defined Object ID (OID) key usages. The following tabs are available:
    1. Key Usage: User can choose which bits must be set in the Key Usage certificate extension, for a client certificate to be eligible for use in a client authentication session.
    2. Extended Key Usage: User can choose which bits must be set in the Extended Key Usage certificate extension, for a client certificate to be eligible for use in a client authentication session.
    3. Custom Key Usage: User can add/delete more description and OID pairs.
  • How often to prompt : This drop-down box allows you to control the frequency of prompts for client certificates.
    1. First time: Prompts client the first time a connection is made for that session.
    2. On each connection: Prompts client each time a connection is made to the server.
    3. Only once for each certificate: Prompts client the first time a connection is made. A client with multiple sessions set to this option receives only one prompt despite the number of sessions started, if the same certificate applies to those sessions. (If a connection attempt fails, however, the client receives another prompt.)
  • TLS 1.3 Support:

    The user will try to connect to the host using the TLS v1.3 protocol. If client JRE supports TLS v1.3 session will connect with TLS v1.3. If client JRE doesn’t support TLS v1.3 session will connect with TLS v1.2 and will not through any exception.

    Supporting JRE versions:

    1. Oracle/OpenJDK 1.8 update 261 and above.
    2. IBM 1.8 update 291 and above.
    3. Java version 11 and above.

3. FIPS:

  • During an SSL handshake, the client and server agree on an algorithm to use to encrypt data during the session. The client offers a list of cipher suites and the server selects one from the list.
  • To be FIPS 140-2 compliant, the selected cipher suite must be FIPS 140-2 compliant.
  • FIPS mode is enabled by default in the application and uses FIPS 140-2 compliant cipher suites to establish a secure connection while using JSSE.
  • FIPS mode can be enabled or disabled to use FIPS 140-2 compliant ciphers.