Access SSL Configuration

Use the Access SSL Configuration page to configure the client role parameters for communication from Sentry to Access. You can configure ciphers and protocols for outgoing traffic from Sentry to Access.

Managing Strict TLS settings for Standalone Sentry SSL connections to Access.

Server Name Indication (SNI).

View the Available and Selected protocols and cipher suites. See Cipher suites and protocols.

Set up custom protocol and cipher suite configuration. See Customizing cipher suites and protocols.

The Access SSL Configuration page allows the administrator the flexibility to configure Standalone Sentry to use cipher suites and protocols to match the security and system needs of your enterprise.

Managing Strict TLS

You can enable strict TLS for outgoing traffic from Standalone Sentry to Access. Strict TLS is enabled by default. With strict TLS enabled, the Java Trust Store is enabled by default. You can also use the custom trust store option to upload additional certificates that Standalone Sentry must use.

For more information on Strict TLS, see Server hostname verification with strict TLS, Impacts of server hostname verification and TLS settings for Standalone Sentry in Core.

Procedure

1. In the Standalone Sentry System Manager, go to Settings > Services > Sentry > Access SSL Configuration.
2. In the Strict TLS Settings section, select or deselect Enable Strict TLS to enable or disable Strict TLS appropriately.

Additional options are now available.

Item

Description

Enable Default Java Trust Store

Selected by default if strict TLS is enabled.

Certificates and Certificates Authorities in the Java Trust Store are used to trust the SSL connection to UEM.

Allow and Log untrusted servers

Select to allow Standalone Sentry to connect to UEM that does not use a trusted certificate in Java or custom trust store.

Enable Custom Trust Store

Select to upload certificates to the Standalone Sentry trust store. Standalone Sentry uses the certificates in the custom store to trust UEM.

Generally used if UEM uses self-signed certificates.

3. Click Apply.
4. Click Yes.

The new TLS settings are applied and Standalone Sentry restarts. It may take up to one minute for Standalone Sentry to restart. Traffic is disrupted till Standalone is up and running again.

5. Click OK.

Server Name Indication (SNI)

Server Name Indication (SNI) is an extension to TLS. SNI allows multiple hostnames to be served over HTTPS from one IP address. By default, SNI is enabled on Standalone Sentry for outgoing connections. SNI allows a load balancer to direct incoming traffic to the correct Access server based on the hostname provided by the client, in this case, Standalone Sentry. Access servers require that SNI is enabled in the client. Your Active Directory Federation Services (ADFS) requires SNI for all client communications.

If SNI is enabled for Access SSL connections, in some cases health check may fail if the Access server does not also support SNI. The workaround is to disable health check for the impacted server.

Cipher suites and protocols

Standalone Sentry includes a set of cipher suites and protocols. A default set of cipher suites and protocols is available in the Selected column. You can customize the Selected list of ciphers and protocols to match the security and system needs for your enterprise.

The available and default set of cipher suites and protocols might be updated in a release. Some cipher suites and protocols might be added, while others may be removed. Cipher suites and protocols might be removed if the platform no longer supports these cipher suites and protocols.

If you are set up to use the default cipher suites and protocols, these are updated to the latest defaults when you upgrade to a new version of Standalone Sentry. If you are set up to use a custom list of Selected cipher suites and protocols, the custom list is preserved when you upgrade your Standalone Sentry. However, any cipher suites or protocols that were removed are also removed from the Selected and Available columns. New cipher suites and protocols are added to the Available column.

Making changes to the selected list of cipher suites may impact the performance and security of traffic through Standalone Sentry. Therefore, before making any changes to the Selected cipher suites, Ivanti recommends that you understand both the performance and security impact of the changes.

The following protocols are supported:

TLSv1.2 (Selected by default)

TLSv1.1

TSLv1

SSLv2Hello

SSLv2Hello is a pseudo-protocol that allows Java to initiate the handshake with an SSLv2 'hello message.' This does not cause the use of the SSLv2 protocol, which is not supported by Java. SSLv2Hello requires that r TLSv1 protocol is also selected.

SSLv2Hello is required by some load balancers and SSL off loaders for proper functioning. If your environment does not need it, it is recommended to remove this from the protocol list for improved security.

Customizing cipher suites and protocols

You can customize the cipher suites and protocols configuration.

Procedure

1. In Standalone Sentry System Manager, go to Settings > Services > Sentry > Access SSL Configuration. Ciphers and protocols are configured in the Sentry to CMS Ciphers, SNI, and Protocols Configuration section.

The Use Default Cipher Suites and Protocols (recommended) option is selected by default.

2. Select Use Custom Configuration.
3. Click Proceed to continue.
4. Select the protocols and cipher suites to move from the Available to Selected column or vice-versa as necessary.

The default cipher suites and protocols are colored blue.

5. Click Apply to save the changes.

When Use Default Cipher Suites and Protocols (recommended) is selected, the cipher suites and protocols can be moved between the Available and Selected columns. However, the configuration is not changed. You must also select the Use Custom Configuration option to make changes to the default configuration.

Switching back to default configuration

You can revert your settings to default configuration if you do not wish to use the custom configuration.

Procedure

1. In Standalone Sentry System Manager, go to Settings > Services > Sentry > Access SSL Configuration.
2. In the Sentry to CMS Ciphers, SNI, and Protocols Configuration section, select Use Default Cipher Suites and Protocols (recommended).
3. Click Apply to save the changes.

The cipher suites and protocols are reset to the default settings.

Clicking Reset to Default resets the Available and Selected columns to default settings. However, the default settings are not applied. To apply the default settings, you must select Use Default Cipher Suites and Protocols (recommended), and then click Apply.