Configuring TLS

Beginning with KeyControl Version 10.4.1, Secure Sockets Layer (SSL) has been replaced with Transport Layer Security (TLS). Support has also been added for Extended Master Secret (EMS).

Because each node hosts a standalone webserver, if you want to configure TLS for a node you must log into the webGUI for that specific node.

1. Log into the KeyControl Vault Management webGUI using an account with Security Admin privileges.
2. In the top right, click the Switch to Appliance Management link.
3. In the top menu bar, click Settings.
4. In the General Settings section, click TLS Configuration.

5. On the Protocol tab, select the TLS authentication modes that you want to use:

   • TLSv1.2, TLSv1.3
   • TLSv1.3 only

6. Optionally, on the Cipher Suite tab, review the detailed list of available ciphers. If you want to remove ciphers from this list, click the X following the cipher name that you do not want to use. If you want to add a cipher, click in the bottom of the list box and enter a valid cipher name, then click Reload.

   The following ciphers are supported:  

   • ECDHE-ECDSA-AES256-GCM-SHA384:

   • ECDHE-RSA-AES256-GCM-SHA384:

   • ECDHE-ECDSA-AES256-CCM:

   • ECDHE-ECDSA-AES128-GCM-SHA256:

   • ECDHE-RSA-AES128-GCM-SHA256:

   • ECDHE-ECDSA-AES128-CCM:

   • DHE-RSA-AES256-GCM-SHA384:

   • DHE-RSA-AES256-CCM:

   • DHE-RSA-AES128-GCM-SHA256:

   • DHE-RSA-AES128-CCM:

   • PSK-AES256-GCM-SHA384:

   • PSK-AES256-CCM,"\

   • PSK-AES128-GCM-SHA256:

   • PSK-AES128-CCM:

   • DHE-PSK-AES256-GCM-SHA384:

   • DHE-PSK-AES256-CCM:

   • DHE-PSK-AES128-GCM-SHA256:

   • DHE-PSK-AES128-CCM

7. On the TLS Extended Master Secret tab, select whether or not to enforce EMS. We highly recommend that you enable EMS.

   Important: The EMS setting applies to the entire cluster.

8. When you are finished, click Apply.