Previously, via arcotcommon.ini one could not specify a granular combination of Protocol/Cipher Suites to use for SSL connection. In the "ssl/config" section of file arcotcomm.ini one could only specify high level SSL protocols like such:
[ssl/config]
sslContextAlgorithm=TLS
Now, via arcotcommon.ini one can specify a granular combination of Protocol/Cipher Suites to use for SSL connection. Refer to the configuration below:
--- Risk Auth Server
RiskAuthSupportedProtocols - List of supported protocols(tlsv1,tlsv1.1,tlsv1.2 - lowercase only) for RiskAuth Server
RiskAuthCipherSuites - List of supported cipher suites with names as mentioned in document ( https://www.openssl.org/docs/man1.0.2/man1/ciphers.html ) for RiskAuth Server
Ex:
[ssl/config]
RiskAuthSupportedProtocols=tlsv1.2
RiskAuthCipherSuites=ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256
The above example makes RiskAuthentication server to communicate only on tlsv1.2 protocol with ECDHE-ECDSA-AES256-GCM-SHA384 and ECDHE-ECDSA-AES128-GCM-SHA256 CipherSuites.
--- Strong Auth Server
StrongAuthSupportedProtocols - List of supported protocols(tlsv1,tlsv1.1,tlsv1.2 - lowercase only) for StrongAuth Server
StrongAuthCipherSuites - List of supported cipher suites with names as mentioned in document ( https://www.openssl.org/docs/man1.0.2/man1/ciphers.html ) for RiskAuth Server
Ex:
[ssl/config]
StrongAuthSupportedProtocols=tlsv1.2
StrongAuthCipherSuites=ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256
Release: 9.x
Component: CA Strong Authentication and CA Risk Authentication
A restart of the following components is required for the configuration discussed above to take effect. Please restart the following Advanced Authentication servers (Advanced Authentication is being used interchangeably with CA Strong/Risk Authentication.
1. arcotuds.
2. arcotadmin
3. arcotwebfort
4. arcotriskfort