Configure TLS Cipher Suite for applications

Allows admin to select a default or custom cipher suite to be used for TLS client-server handshake before starting a TLS secure communication. Applies to access, client-access apps and not SaaS apps.

EAA allows users to have a secure network connection using TLS 1.1 or higher to access their applications on the application server. You can use the default strong cipher suite suggested by Akamai or select a custom cipher suite for the TLS handshake between the client machine (user’s laptop) and the server (application server) before establishing a secure network connection. A cipher suite is a set of algorithms that includes a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm. You can refer to cipher suite wiki for TLS 1.0 -1.2 handshake. There are many cipher suites and some are more secure than others.

Each cipher suite has a unique name that is used to identify it and to describe the algorithmic contents of it. Each segment in a cipher suite name stands for a different algorithm or protocol. An example of a cipher suite name: TLSv1.2-ECDHE-RSA-AES128-GCM-SHA256

The name can be interpreted as:
  • TLSv1.2 defines the protocol that this cipher suite is for and the version number.

  • ECDHE-RSA indicates the key exchange algorithm being used. The key exchange algorithm is used to determine if and how the client and server will authenticate during the handshake.

  • AES128-GCM indicates the block cipher being used to encrypt the message stream, together with the block cipher mode of operation.

  • SHA256 indicates the message authentication algorithm which is used to authenticate a message.

A sample cipher in the UI is shown:

Prior to establishing a TLS secure connection, the client and server have a TLS handshake. During the TLS handshake, the client sends the predefined ciphers to the server in the ClientHello message. The server chooses the matching cipher (if available) and responds back with a ServerHello message that includes the chosen cipher suite and the session ID. Next the server sends a digital certificate to verify it’s identity to the client. If they are not using pre-shared keys, the client sends an encrypted message to the server that enables the client and server to compute secret key will be used during exchanges. After successfully verifying the authentication of the server and, if needed, exchanging the secret key, the client sends a finished message to signal that it is done with the handshake process. After receiving this message, the server sends a finished message that confirms that the handshake is complete. Now the client and the server are in agreement on which cipher suite to use to communicate with each other. This is how cipher suites are negotiated and SSL handshake is established between the client and the server.

If you make any changes to your existing apps, you will need to add a TLS cipher suite before deploying the application. Otherwise, existing apps will work without this change.

How to

  1. Log in to the EAA Management Portal.
  2. From the top menu bar click Applications.
  3. Locate the application card you wish to configure TLS cipher suite for.
  4. Click Settings > ADVANCED SETTINGS.
  5. Go to the Configure TLS Cipher suite section.
  6. Select one of the following for Cipher suite configuration for the TLS handshake between the user and the application server:
    • Default. Use the default strong cipher suite as recommended by Akamai. Only TLS version 1.2 strong ciphers are supported.
    • Custom. Select a cipher suite from the list. If you select a cipher suite that has a weak cipher, you will receive a warning when you deploy the application. A weak cipher is one that has any vulnerabilities and the security can be compromised. Supports both TLS version 1.1 and TLS version 1.2 ciphers.
  7. Click Save and go to Deployment. Deploy the application.