Hardening TLS: Summary

When hardening an Enterprise Server installation, review the following steps. Consult the topics in this document and related ones in your product Help for more information:

Disable old TLS protocols
Disable TLSv1.0 and TLSv1.1.
Enable only strong cipher suites
Configure a list of strong cipher suites or set the security level to a high value. Use the Honor Server Cipher List option.
Use a proper CA
Do not use DemoCA in production; use a commercial or organizational CA.
Generate quality certificates
Create certificates which conform to industry best practices. For server certificates, include all the appropriate Subject Alternative Names. Use strong signing algorithms (avoid MD5 and SHA1) and sufficiently-large keys (for example, at least 2048 bits for RSA keys).
Protect private keys
Use key-file formats that encrypt the private key, and set restrictive file permissions. Do not share private keys with entities that do not need them. Determine what method of supplying the keyfile passphrase is most appropriate for your organization.
Note: You can use the Micro Focus Vault Facility to store a secret for the certificate and keyfile pass phrases. This can be specified in the mf-server.dat file and takes the following form:
mfsecret:configuration-name:secret-path

or:

mfsecret::secret-path

or:

mfsecret:secret-path