8.17 Security Profile

The Security profile is a generic profile that you can use to make encryption configurations that can be used by the HTTP/2 agent.

The profile consists of two tabs: General and Advanced.

General Tab

Keystore Settings

The following settings are available:

SettingsDescription
Type

You can select from the following options:

  • Java Keystore
  • <None>

Selecting <None> disables the rest of the keystore settings.

Path

Enter the location of the keystore from which you want to read the key. 
PasswordEnter the relevant keystore password. 
Key AliasIf the keystore contains more than one key, specify the alias of the key that you want to use.
Key PasswordThe Key Password fields is optional. You can enter the key password, or if you leave this field empty, the Password that you entered is the default.


Example - How to create a symmetric crypto key

$ keytool -keystore test.ks -storepass password -genseckey -keysize 128 -alias testkey -keyalg AES

Example - How to create a Keystore file with security contents

This example code shows how to create a Java keystore file for both the server and client connection. In this example this will generate the file, containing the associated security certificate, public and private key. 

Code Block
keytool -genkey -alias server -keyalg RSA -keystore ./server.jks

NOTE: Remember the password issued for the server.jks file.

Example - How to create a client-specific Keystore file

To create a client-specific Java Keystore file, you can use the keytool command with the required variables. In this example the generated file will be for a specific client and contain only their certificate and public key. 

Code Block
$ keytool -export -alias server -keystore ./server.jks -file ./server.cer
...
$ keytool -import -alias client -file ./server.cer -keystore ./client.jks
...

Note: Execution of these commands will present password entry prompts, you will need to remember the entered passphrase. 

Truststore Settings

The following settings are available:

SettingsDescription
Type

You can select from the following options: 

  • Java Truststore
  • Use Java Keystore
  • <None>

Selecting Use Java Keystore disables the rest of the truststore settings and the keystore specified in Keystore Settings is used.

Selecting <None> disables the rest of the truststore settings.

Path

Enter the location of the truststore that you want to use. 
PasswordEnter the relevant truststore password.

Advanced Tab

The Advanced tab enables you to make more detailed configurations for which cipher suites to accept. 

The following settings are available:

SettingsDescription
Enable TLS Settings

If you want to change the TLS security parameters, select this check box. The default setting is to use the settings from the Java installation.

Accepted Protocols

You can select if you want agents using this profile to accept only TLS version 1.3 or any TLS version. The default setting is to only accept version 1.3.

Used Cipher Suites

You can select if you want agents using this profile to use only suites that are enabled by default, or any suites. The default setting is to only use suites that are enabled by default.

Cipher Suite Must Match

In this field you can enter any characters that you want the cipher suites to match. You can also enter lists of regular expression, one per row, that you want the cipher suites to match. Suites not matching your entry are greyed out in the Result on this JVM field.

Cipher Suite Must Not Match

If you want to exclude cipher suites, you can enter any characters in this field which excludes suites matching the characters. You can also enter lists of regular expression, one per row, for cipher suites to exclude.

Result on this JVMThis field displays the cipher suites available on the current JVM.