Configuring TLS

Beginning with Cryptographic Security Platform Vault Version 10.4.5, Secure Sockets Layer (SSL) has been replaced with Transport Layer Security (TLS). Support has also been added for Extended Master Secret (EMS).

Because each node hosts a standalone webserver, if you want to configure TLS for a node you must log into the webGUI for that specific node.

  1. Log into the Cryptographic Security Platform Vault Management webGUI using an account with Security Admin privileges.
  2. In the top right, click the Switch to Appliance Management link.
  3. In the top menu bar, click Settings.
  4. In the General Settings section, click TLS Configuration.

  5. On the Protocol tab, select the TLS authentication modes that you want to use:

    • TLSv1.2, TLSv1.3
    • TLSv1.3 only

  6. Optionally, on the Cipher Suite tab, review the detailed list of available ciphers. If you want to remove ciphers from this list, click the X following the cipher name that you do not want to use. If you want to add a cipher, click in the bottom of the list box and enter a valid cipher name, then click Reload.

    The following ciphers are supported:  

    • ECDHE-ECDSA-AES256-GCM-SHA384

    • ECDHE-RSA-AES256-GCM-SHA384

    • ECDHE-ECDSA-AES256-CCM

    • ECDHE-ECDSA-AES128-GCM-SHA256

    • ECDHE-RSA-AES128-GCM-SHA256

    • ECDHE-ECDSA-AES128-CCM

    • DHE-RSA-AES256-GCM-SHA384

    • DHE-RSA-AES256-CCM

    • DHE-RSA-AES128-GCM-SHA256

    • DHE-RSA-AES128-CCM

    • PSK-AES256-GCM-SHA384

    • PSK-AES256-CCM

    • PSK-AES128-GCM-SHA256

    • PSK-AES128-CCM

    • DHE-PSK-AES256-GCM-SHA384

    • DHE-PSK-AES256-CCM

    • DHE-PSK-AES128-GCM-SHA256

    • DHE-PSK-AES128-CCM

  7. On the TLS Extended Master Secret tab, select whether or not to enforce EMS. We highly recommend that you enable EMS.

    Important:  

    • The EMS setting applies to the entire cluster. Changing the EMS will automatically reboot all nodes in the cluster. After rebooting, it may take the nodes several minutes to restart.

    • If you have EMS configured on your Cryptographic Security Platform Vault Appliance, you must disable it before you can connect to Cryptographic Security Platform Compliance Manager.

    • If you plan to use Double Key Encryption (DKE), TLS must be set to TLSv1.2, TLSv1.3 and EMS must be set to Do not enforce EMS.

  8. When you are finished, click Apply.