|
%SYS
|
|
|
%SYS
|
|
Define the SSL/TLS configurations, and methods which manipulate them. More...
Public Member Functions | |
| _.Library.Status | Activate () |
| Activate the configuration. More... | |
| ConvertProtocols () | |
| Convert deprecated Protocol property to new Min/MaxVersion. | |
| _.Library.Status | Deactivate () |
| Deactivate this configuration. | |
| _.Library.String | GetCertificate () |
| Get the contents of the file named by CertificateFile. | |
| _.Library.Status | TestConnection (_.Library.String Host, _.Library.Integer Port, _.Library.String Info) |
| Test the SSL configuration. More... | |
| _.Library.String | Validate (_.Library.String Host, _.Library.Integer Port) |
| Validate the SSL configuration (DEPRECATED). More... | |
| def | __init__ (self) |
| Protocols enabled. More... | |
Public Attributes | |
| AuthorizeCN | |
| Authorize a backup failover member to join a mirror. More... | |
| CAFile | |
| File containing X.509 certificate(s) of trusted Certificate Authorities. More... | |
| CAPath | |
| Directory containing file(s) with X.509 certificate(s) of trusted Certificate Authorities. More... | |
| CertificateFile | |
| File containing this configuration's X.509 certificate. More... | |
| CipherList | |
| Colon-delimited list of enabled ciphersuites for TLSv1.2 and below. More... | |
| Ciphersuites | |
| Colon-delimited lists of enabled ciphersuites for TLSv1.3. More... | |
| Description | |
| Description of the SSL configuration. More... | |
| DiffieHellmanBits | |
| Size of Diffie Hellman key. More... | |
| Enabled | |
| Configuration is enabled. More... | |
| Name | |
| SSL configuration name. More... | |
| OCSP | |
| OCSP Stapling. More... | |
| OCSPIssuerCert | |
| OCSPIssuerCert. More... | |
| OCSPResponseFile | |
| OCSPResponseFile. More... | |
| OCSPURL | |
| OCSPURL. More... | |
| PrivateKeyFile | |
| File containing this configuration's private key. More... | |
| PrivateKeyPassword | |
| Optional password used to decrypt this configuration's private key. More... | |
| PrivateKeyType | |
| Private key type, one of: More... | |
| Protocols | |
| SNIName | |
| TLSMaxVersion | |
| Maximum TLS protocol version enabled. More... | |
| TLSMinVersion | |
| Minimum TLS protocol version enabled. More... | |
| Type | |
| Intended type for this configuration. More... | |
| VerifyDepth | |
| Maximum number of CA certificates allowed in peer certificate chain. More... | |
| VerifyPeer | |
| Peer certificate verification level. More... | |
Static Public Attributes | |
| DOMAIN = None | |
| Default Localization Domain. | |
Define the SSL/TLS configurations, and methods which manipulate them.
1) SSL configuration names are case sensitive.
2) Maximum length of a configuration name is 64 characters.
Once an SSL configuration is defined and activated, you can use the name of the configuration as a parameter to the open or use command in order to set up an SSL connection.
LogicalToDisplay Open dev:(Host:Port:"M":/TLS="Name"):10
The Admin Secure:USE permission is required to operate on an SSL configuration.
The table for this class should be manipulated only through object access, the published API's or through the System Management Portal. It should not be updated through direct SQL access.
| def __init__ | ( | self | ) |
Protocols enabled.
Bit 2 - TLSv1.0
Bit 3 - TLSv1.1
Bit 4 - TLSv1.2
Bit 5 - TLSv1.3
DEPRECATED. Use TLSMinVersion and TLSMaxVersion instead.
The fully qualified DNS hostname of the server for use with the Subject Name Indication (SNI)
TLS extension DEPRECATED.
| _.Library.Status Activate | ( | ) |
Activate the configuration.
Activate the configuration for use when new TCP connections are OPENed with the /SSL or /TLS parameter.
|
static |
Activate all configurations.
Activate all defined SSL configurations.
|
static |
Create an SSL configuration.
Create an SSL configuration in the Security database.
Parameters:
Name - Name of the SSL configuration to create
Properties - Array of properties corresponding to the class properties
For example, Properties("CAFile")=Filename
|
static |
Delete an SSL configuration.
This method will delete an SSL configuration from the security database.
Parameters:
Name - Name of SSL configuration to delete
|
static |
SSL configuration exists.
This method checks for the existence of an SSL Configuration in the security database.
Parameters:
Name - Name of the SSL configuration to check existence of
Return values:
If Value of the method = 0 (SSL configuration does not exist, or some error occured)
SSLConfig = Null
Status = SSL configuration "x" does not exist, or other error message<br>
If Value of the method = 1 (SSL configuration exists)
SSLConfig = Object handle to SSL configuration
Status = $$$OK
|
static |
This method exports SSL configuration Objects to a file in xml format.
Parameters:
FileName - Output file name
NumExported (byref) - Returns number of XML records exported.
SSLConfigs - Comma separated list of SSL configurations to export, "*" = All NoPwd - When true, PrivateKeyPassword is not exported
|
static |
Get a SSL configuration's properties.
Gets a SSL configuration's properties from the security database.
Parameters:
Name - Name of the SSL configuration to get
Return values:
Properties - Array of properties.
For example, Properties("CAFile")=Filename
Note: Admin_Secure:Use permission required for this method since it returns an unhashed password.
|
static |
Import SSL configuration records from an xml file.
Parameters:
FileName - Filename to import SSL configuration records from
NumImported (byref) - Returns number of records imported
Flags - Control import
Bit 0 - Do not import records, just return count
Note: On failure, no records will be imported
Warning: Import will fail if the certificate paths or certificates do not exist before the import.
|
static |
Modify an SSL configuration.
Modify an existing SSL configuration's properties in the security database.
Parameters:
Name - Name of the SSL configuration to modify
Properties - Array of properties to modify.
For example, Properties("CAFile")=Filename If a specific property is not passed in the properties array, or is the same as the existing value, the value is not modified.
| _.Library.Status TestConnection | ( | _.Library.String | Host, |
| _.Library.Integer | Port, | ||
| _.Library.String | Info | ||
| ) |
Test the SSL configuration.
Attempts to make an SSL connection to the passed Host and port.
Parameters:
Host - Ip name of the host to connect to
Port - Port # of the host to connect to
Return Values:
On success, Info is returned as an array of messages concerning the host which we connected to.
| _.Library.String Validate | ( | _.Library.String | Host, |
| _.Library.Integer | Port | ||
| ) |
Validate the SSL configuration (DEPRECATED).
Use the TestConnection method instead.
Attempts to make an SSL connection to the passed Host and port.
Parameters:
Host - Ip name of the host to connect to
Port - Port # of the host to connect to
Return Values:
String of success or error messages.
| AuthorizeCN |
Authorize a backup failover member to join a mirror.
Normally, mirroring with SSL requires the following steps:
This presents difficulties for declarative mirror configuration via CPF. When this property is set to 1, the Distinguished Name is extracted from this mirror's SSL certificates and used to pre-authorize the backup member to join.
| CAFile |
File containing X.509 certificate(s) of trusted Certificate Authorities.
Can be an absolute pathname, a pathname relative to the manager's directory, or a special value "%OSCertificateStore" for OS-provided trusted CA certificate stores.
Clients: Specify CAFile and/or CAPath
Servers: Specify CAFile and/or CAServer if VerifyPeer > 0
| CAPath |
Directory containing file(s) with X.509 certificate(s) of trusted Certificate Authorities.
Can be an absolute pathname or a pathname relative to the manager's directory.
Clients: Specify CAFile and/or CAPath
Servers: Specify CAFile and/or CAServer if VerifyPeer > 0
| CertificateFile |
File containing this configuration's X.509 certificate.
Can be an absolute pathname or a pathname relative to the manager's directory. If not null, PrivateKeyFile must also be specified.
| CipherList |
Colon-delimited list of enabled ciphersuites for TLSv1.2 and below.
By default, disable anonymous, unencrypted, export, and SSLv2 ciphersuites.
| Ciphersuites |
Colon-delimited lists of enabled ciphersuites for TLSv1.3.
| Description |
Description of the SSL configuration.
| DiffieHellmanBits |
Size of Diffie Hellman key.
(Relevant for server configurations only)
Default is 0 (Auto)
| Enabled |
Configuration is enabled.
| Name |
SSL configuration name.
| OCSP |
OCSP Stapling.
Clients:
0 = None
1 = Require valid OCSP Stapling (continue only if OCSP verification succeeds)
Servers:
0 = None
1 = Support OCSP Stapling
| OCSPIssuerCert |
OCSPIssuerCert.
For Servers with OCSP Stapling support, this is issuer certificate to be used when
requesting an OCSP response.
| OCSPResponseFile |
OCSPResponseFile.
For Servers with OCSP Stapling support, this is the path to store the cached OCSP response file.
| OCSPURL |
OCSPURL.
For Servers with OCSP Stapling support, this is the URL used to request an OCSP response
Note: this is populated automatically based on the server certificate.
| PrivateKeyFile |
File containing this configuration's private key.
Can be an absolute pathname or a pathname relative to the manager's directory. If not null, CertificateFile must also be specified.
| PrivateKeyPassword |
Optional password used to decrypt this configuration's private key.
If not null, PrivateKeyFile and CertificateFile must also be specified.
| PrivateKeyType |
Private key type, one of:
1 = DSA
2 = RSA
| Protocols |
| SNIName |
| TLSMaxVersion |
Maximum TLS protocol version enabled.
2 - SSLv3 4 - TLSv1.0 8 - TLSv1.1 16 - TLSv1.2 32 - TLSv1.3 Default = TLSv1.3 Requirement is TLSMaxVersion >= TLSMinVersion
| TLSMinVersion |
Minimum TLS protocol version enabled.
2 - SSLv3 4 - TLSv1.0 8 - TLSv1.1 16 - TLSv1.2 32 - TLSv1.3 Default is TLSv1.2
Requirement is TLSMinVersion <= TLSMaxVersion
| Type |
Intended type for this configuration.
0 = client
1 = server
Default is client (0)
| VerifyDepth |
Maximum number of CA certificates allowed in peer certificate chain.
| VerifyPeer |
Peer certificate verification level.
Clients:
0 = None (continue even if certificate verification fails)
1 = Require server certificate (continue only if certificate verification succeeds)
Servers:
0 = None (do not request client certificate)
1 = Request client certificate (terminate if certificate is provided and verification fails)
3 = Require client certificate (continue only if certificate is provided and verification succeeds)
1.9.1