Blog

SSL Policies for securing your APIs

By | Date posted: January 29, 2014
SSL-100

Forum Sentry provides granular control for centralized SSL/TLS protection of your APIs running on application servers, web servers or message queues.  Forum Sentry typically sits in front of such components and deals with all the SSL related communication for your APIs so that you can focus on building business functionality while Forum Sentry takes the ownership of your security policies.

Learn how to set SSL policies for your XML, JSON, HTML, SOAP traffic and the benefits of using Forum Sentry for protecting your SOA, API components.

After you log into the web-based Forum Sentry administrative interface, expand Resources in the left hand navigation panel and select SSL. You will have default settings selected for you that you can easily modify.

SSL-Policies-Forum-Sentry

In the use-case shown, we set an SSL termination policy to protect incoming traffic.  Note that the SSL policies are abstracted from the communication protocols and can be used by a variety of such protocols including HTTP, IBM MQ, JMS, SMTP and FTP.  The key pair is selected on this screen along with signer group if client authentication is required (X.509 Mutual Auth).

Administrators have granular control over what protocol versions (e.g., SSL v3 vs TLS v1.2) and cipher suites (e.g., 3DES vs RC4) should be used. You can implement a more conservative security policy by turning off cipher suites that are not as strong as others, for example, you may decide that RC4, Elliptic Curves (ECDSA, ECDHE, ECDH) are not an accepted cipher for your corporate SSL communication.  You can selectively turn those off.  This will ensure that the clients attempting to communicate with your enterprise are required to use the highest level of security by eliminating weak cipher suites or cipher suites suspected of intentional backdoors.  This level of selectivity and control is difficult to deploy and maintain with typical application, ESB and web servers.

Multiple SSL policies can be set with varying cipher suites and key pairs.  Key lifecycle maintenance is simple and available directly within the Sentry Web Interface for CSR re-generation and self-signed, or CA signed certificates.  These key renewals can be seamlessly applied to all communication protocols that utilize this policy for centralized key management.

Related content:

Leave a Comment