7.5.6 End-to-end Security Settings

When you configure connections using the centralized management server Security Proxy, the connection between the client and the Security Proxy server is secured and encrypted using the SSL/TLS protocol. By default, the information sent between the proxy server and the destination host is in the clear. When you enable the End-to-End security, information sent between the Security Proxy the destination host is also encrypted. This is done by tunneling an TLS/SSL direct connection to the host through the centralized management server security proxy.

Use the End-to-end Settings dialog box to configure the SSL/TLS settings for the direct connection to the host. The options are:

Security type

Specify which version of TLS to use.

Encryption strength

Specify the desired level of encryption for TLS connection. The connection will fail if this level cannot be provided. If you select auto, any encryption level is permitted, and InfoConnect will negotiate with the host system to choose the strongest encryption level supported by both the host and the client.

Verify host name against host certificate name

Specifies whether host name matching is required when validating host certificates. When this setting is enabled (the default), the host name you configure for the path in the TCP/UDP Path Options dialog box must exactly match a host name or IP address entered in either the CommonName or the SubjectAltName field of the certificate.

This setting is required for DOD PKI users.

Certificate revocation

Use CRL

Select this option to validate the authenticating certificate by checking it against a digitally signed list of certificates that have been revoked by the Certification Authority. Certificates identified in a CRL are no longer valid.

OCSP

Select this option as an alternative to CRL checking to confirm whether a certificate is valid. OCSP uses the HTTP transport and responds to certificate status requests with one of three digitally signed responses: "good", "revoked", and "unknown".OCSP removes the need for servers and/or clients to retrieve and sort through large CRLs.

User authentication certificate

Pick identity certificate automatically

When you select this option, InfoConnect presents all available personal certificates to the server for client authentication.

Use the selected identity certificate

Select this option to specify a particular certificate. Type the name of a user certificate to use for client authentication, or click Browseto select it from a list of personal certificates available in the Reflection Certificate Manager store and the Windows system store.

Reflection Certificate Manager

Click to import and manage user certificates in the Reflection Certificate Manager.