13.17 HTTPS Options

IMPORTANT:The HTTPS Options policy is not available in Advanced Authentication as a Service (SaaS) version

In this policy, you can configure settings to ensure that the appliance is safe from security vulnerabilities.

This policy allows you to configure the following settings:

  • Enable TLS 1.0: This option is disabled by default to ensure security vulnerabilities are prevented because TLS 1.0 is considered as an unsafe protocol. In some scenarios, you can enable the option to support the older versions of browsers. For more information on browser support for TLS, see TLS support for web browsers.

  • Enable TLS 1.1: This option is disabled by default to prevent security vulnerabilities and have secure connection between the server and web portals such as Helpdesk, Self-Service and so on. It is recommended to keep default setting because TLS 1.1 is considered as an unsafe protocol. In some scenarios, you can enable the option to support the older versions of browsers.

  • Enable Client SSL for Webauth Service: This option allows you to enable the Client SSL to authenticate to any web environment using the details available in the client SSL certificate. This option is used for virtual smartcard support of the PKI method. The Client SSL also ensures privacy of transmitted data to the server.

    When this option is set to OFF, user must use the PKI device to authenticate to any device or web service.

    When this option is set to ON, the following settings are displayed:

    • Client SSL CA Certificate Store: This setting allows you to upload the CA certificate that is essential to validate the Client SSL certificate for OAuth 2.0 event authentication.

    • Enable Auto Enrollment based on certificate: This option allows you to enable the auto enrollment of PKI method using the client SSL certificate on the user’s browser.

      When this option is set to ON, the PKI method gets auto-enrolled if following conditions are true:

      • The PKI method and another authentication method are added to the chain that is associated to the OAuth 2.0 event and user has enrolled other method that is available in the chain.

      • A valid client SSL certificate is available in the user’s browser.

      When this option is set to OFF, the PKI method does not auto-enroll even though the browser has valid client SSL certificate.

    • SSL Client Certificate Verify Depth: This setting allows you to define a value that indicates the levels to validate a client certificate during authentication. The verification of the client certificate is to ensure whether the certificate is valid and signed by the trustworthy authority.

      For example, if you set the SSL Client Certificate Verify Depth as 2, then the client certificate must pass through two levels of validation by the two different certificate authorities.

  • Frame Ancestor URLs One URL per line: This setting allows some of the domains to load the Advanced Authentication pages in an iFrame. Previously, none of the domains were allowed to load the pages in iFrame. You can specify any number of domain names.

  • Advanced SSL Settings: This setting allows you to configure preferred DH group and SSL cipher suites for exchanging data over a secured connection. Click + icon, the following settings are displayed:

    • Pre-defined DH group: This setting allows you to select a key exchange algorithm that determines the strength of key exchanged between the server and client for a secured connection. The default value is FFDHE2048. For more secure the connection select the higher group number.

    • Pre-defined SSL ciphersuite: This setting allows you to select a cipher suite that provides essential information on how to establish and communicate data over a secured network. The default value is Less Restrictive Ciphers for backward compatibility.

      The SSL cipher suite is a combination of key exchange, authentication, bulk data encryption, and message authentication code (MAC) algorithms. SSL uses one or more cipher suites to secure the transfer of data between the client and the server.

      For example: A cipher suite can contain the following algorithms:

      • DH: indicates key exchange or agreement

      • DSA: indicates authentication

      • Triple DES (3DES): indicates block or stream ciphers

      • SHA: indicates message authentication

    • SSL ciphersuite: This setting displays all algorithms of the SSL cipher suite that you have set in Pre-defined SSL ciphersuite. When you modify the algorithm, then the Pre-defined SSL ciphersuite sets to Custom automatically.

      WARNING:While customizing cipher suite ensure that the combination of algorithms is valid in a cipher. If a cipher suite contains an invalid combination of algorithms, then Advanced Authentication portals, such as Administration, Helpdesk, and Self-Service portals cannot be accessible.