Although in almost all cases, the default settings do not need to be changed, you can configure the security protocols and cryptographic algorithms that are used to encrypt communications between clients and the Unified Access Gateway appliance.

The default setting includes cipher suites that use either 128-bit or 256-bit AES encryption, except for anonymous DH algorithms, and sorts them by strength. By default, TLS v1.2 are enabled. TLS v1.0, TLS v1.1, and SSL v3.0 are disabled.

Prerequisites

  • Familiarize yourself with the Unified Access Gateway REST API. The specification for this API is available at the following URL on the virtual machine where Unified Access Gateway is installed: https://access-point-appliance.example.com:9443/rest/swagger.yaml.
  • Familiarize yourself with the specific properties for configuring the cipher suites and protocols: cipherSuites, ssl30Disabled, tls10Enabled, tls11Disabled, and tls12Enabled.

Procedure

  1. Create a JSON request for specifying the protocols and cipher suites to use.
    The following example has the default settings.
    {
    "cipherSuites": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    , TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
      "ssl30Enabled": "false",
      "tls10Enabled": "false",
      "tls11Enabled": "false",
      "tls12Enabled": "true"
    }
  2. Use a REST client, such as curl or postman, to use the JSON request to invoke the Unified Access Gateway REST API and configure the protocols and cipher suites.

    In the example, access-point-appliance.example.com is the fully qualified domain name of the Unified Access Gateway appliance.

    curl -k -d @- -u 'admin' -H "Content-Type: application/json" -X PUT https://access-point-appliance.example.com:9443/rest/v1/config/system < ~/ciphers.json
    ciphers.json is the JSON request you created in the previous step.

Results

The cipher suites and protocols that you specified are used.