ASE supports both TLS 1.2 and SSLv3 for external APIs.
By default, SSLv3 is disabled due to security vulnerabilities. To change the default and
enable SSLv3, stop ASE and then change enable_sslv3
to true in
ase.conf file. Restart ASE to activate SSLv3 protocol support.
SSLv3 is only supported for client to ASE connections, not ASE to backend server
connections.
; SSLv3
enable_sslv3=true
OpenSSL is bundled with ASE. The following are the version details:
- RHEL: OpenSSL 1.0.2k-fips 26 Jan 2017
- Ubuntu: OpenSSL 1.0.2g 1 Mar 2016
You can configure SSL in ASE for client-side connection using one of the following methods:
- Using a CA-signed certificate
- Using a self-signed certificate
- Importing an existing certificate
The steps provided in this section are for the certificate and key generated for connections between the client and ASE as depicted in the diagram below:
In a cluster setup:
- Stop all the ASE cluster nodes
- Configure the certificate on the management node.Note:
For more information on management node, see API Security Enforcer Admin Guide.
- Start the cluster nodes one by one for the certificates to synchronize across the nodes