|
|
|
The set ssl command lets you configure the behavior of SSL.
The command only takes effect when the DSA starts. If you change SSL parameters using the DSA console, values are not changed and the following warning is logged to the warn file:
WARN : Cannot change SSL params once set
Note: Before CA Directory r12 SP2, SSL functionality was provided by SSLD, a separate process. Now, each DSA provides its own SSL functionality.
This command has the following format:
set ssl = {
cert-dir = certificate_directory
ca-file = certification_authority
[cipher = cipher]
[protocol = tls]
[fips = true]
[pin = pin]
[lib = library]
[slot = slot-number]
};
Identifies the directory that contains certificate and private-key files in PEM format.
Identifies the file that contains trusted certification authority certificates in PEM format.
(Optional) Specifies the ciphers that will be used for SSL and TLS connections.
(Optional) Instructs the DSA to use TLS instead of SSL 3.0. If you do not set this to tls, the DSA uses SSL 3.0.
(Optional) Instructs the DSA to accept only FIPS-compliant ciphers. To accept all SSL ciphers, omit this parameter.
(Optional) Specifies the hardware security module (HSM) user PIN. If specified, the private key is used through the HSM. For example:
pin=1234
(Optional) Specifies the file containing the pks#11 library supplied by the HSM vendor. For example:
lib="C:\Program Files\Eracom\ProtectToolkit C Runtime\cryptoki.dll"
(Optional) Specifies the slot location in the HSM where the corresponding private keys are stored. For example:
slot=2
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |