Configuring TLS
Because each node hosts a standalone webserver, if you want to configure TLS for a node you must log into the webGUI for that specific node.
- Log into the Cryptographic Security Platform Vault Management webGUI using an account with Security Admin privileges.
- In the top right, click the Switch to Appliance Management link.
- In the top menu bar, click Settings.
- In the General Settings section, click TLS Configuration.
-
On the Protocol tab, select the TLS authentication modes that you want to use:
- TLSv1.2, TLSv1.3
- TLSv1.3 only
-
Optionally, on the Cipher Suite tab, review the detailed list of available ciphers. If you want to remove ciphers from this list, click the X following the cipher name that you do not want to use. If you want to add a cipher, click in the bottom of the list box and enter a valid cipher name, then click Reload.
The following ciphers are supported:
-
ECDHE-ECDSA-AES256-GCM-SHA384
-
ECDHE-RSA-AES256-GCM-SHA384
-
ECDHE-ECDSA-AES256-CCM
-
ECDHE-ECDSA-AES128-GCM-SHA256
-
ECDHE-RSA-AES128-GCM-SHA256
-
ECDHE-ECDSA-AES128-CCM
-
DHE-RSA-AES256-GCM-SHA384
-
DHE-RSA-AES256-CCM
-
DHE-RSA-AES128-GCM-SHA256
-
DHE-RSA-AES128-CCM
-
PSK-AES256-GCM-SHA384
-
PSK-AES256-CCM
-
PSK-AES128-GCM-SHA256
-
PSK-AES128-CCM
-
DHE-PSK-AES256-GCM-SHA384
-
DHE-PSK-AES256-CCM
-
DHE-PSK-AES128-GCM-SHA256
-
DHE-PSK-AES128-CCM
-
-
On the TLS Extended Master Secret tab, select whether or not to enforce EMS. We highly recommend that you enable EMS.
Important:
-
The EMS setting applies to the entire cluster. Changing the EMS will automatically reboot all nodes in the cluster. After rebooting, it may take the nodes several minutes to restart.
-
If you have EMS configured on your Cryptographic Security Platform Vault Appliance, you must disable it before you can connect to Cryptographic Security Platform Compliance Manager.
-
If you plan to use Double Key Encryption (DKE), TLS must be set to TLSv1.2, TLSv1.3 and EMS must be set to Do not enforce EMS.
-
- When you are finished, click Apply.