Configuring TLS

Because each node hosts a standalone webserver, if you want to configure TLS for a node you must log into the webGUI for that specific node.

Important: The TLS Protocol and the Cipher Suite that you select apply to a single node only. The TLS Extended Master Secret (EMS) applies to the entire cluster that the node belongs to.

  1. Log into the Cryptographic Security Platform Vault Management webGUI using an account with Security Admin privileges.
  2. In the top right, click the Switch to Appliance Management link.
  3. In the top menu bar, click Settings.
  4. In the General Settings section, click TLS Configuration.

  5. On the Protocol tab, select the TLS authentication modes that you want to use:

    • TLSv1.2, TLSv1.3
    • TLSv1.3 only

    Important: The TLS protocol applies to the particular node that you are connected to only. If you want to join this node in a cluster, both nodes must have the same TLS protocol set.

  6. Optionally, on the Cipher Suite tab, review the detailed list of available ciphers. If you want to remove ciphers from this list, click the X following the cipher name that you do not want to use. If you want to add a cipher, click in the bottom of the list box and enter a valid cipher name, then click Reload.

    The following ciphers are supported:  

    • ECDHE-ECDSA-AES256-GCM-SHA384

    • ECDHE-RSA-AES256-GCM-SHA384

    • ECDHE-ECDSA-AES256-CCM

    • ECDHE-ECDSA-AES128-GCM-SHA256

    • ECDHE-RSA-AES128-GCM-SHA256

    • ECDHE-ECDSA-AES128-CCM

    • DHE-RSA-AES256-GCM-SHA384

    • DHE-RSA-AES256-CCM

    • DHE-RSA-AES128-GCM-SHA256

    • DHE-RSA-AES128-CCM

    • PSK-AES256-GCM-SHA384

    • PSK-AES256-CCM

    • PSK-AES128-GCM-SHA256

    • PSK-AES128-CCM

    • DHE-PSK-AES256-GCM-SHA384

    • DHE-PSK-AES256-CCM

    • DHE-PSK-AES128-GCM-SHA256

    • DHE-PSK-AES128-CCM

  7. On the TLS Extended Master Secret tab, select whether or not to enforce EMS. We highly recommend that you enable EMS.

    Important:  

    • The EMS setting applies to the entire cluster. Changing the EMS will automatically reboot all nodes in the cluster. After rebooting, it may take the nodes several minutes to restart.

    • If you plan to use Double Key Encryption (DKE), TLS must be set to TLSv1.2, TLSv1.3 and EMS must be set to Do not enforce EMS.

  8. When you are finished, click Apply.