As a part of SSL initiation profile, you can specify actions related to certification revocations checks and chose an option to ignore certificate validation, root CA expiration dates, and other such issues based on your requirements. Commonly ignored errors include the inability to verify CA signature, incorrect certificate expiration dates, and so forth. We do not recommend using this option for authentication because configuring it results in websites not being authenticated at all.
Note SSL initiation profile is supported in SRX340, SRX345, SRX550m, SRX1500, SRX4100, SRX4200, and vSRX2.0 platforms.
The SSL Proxy Profiles page appears. Table 248 explains the contents of this page.
Add icon (+)—Create a new SSL initiation client profile. Enter information as specified in Table 249.
Edit icon (/)—Edits the selected SSL proxy configuration. Enter information as specified in Table 249.
Delete(X)—Deletes the selected SSL proxy configuration.
Search icon—Enables you to search a SSL proxy in the grid.
Show Hide Column Filter icon—Enables you to show or hide a column in the grid.
Click Commit icon at the top of the J-Web page. The following commit options are displayed.
Commit—Commits the configuration and returns to the main configuration page.
Compare—Enables you to see the configuration changes that you have performed in the Show Pending Changes.
Discard—Discards the configuration changes you performed in the J-Web.
Preferences—There are two tab:
Commit preferences—You can choose to just validate or validate and commit the changes.
Startup page upon login—You can choose what page should be displayed as soon as you login to J-Web. The options are: Configuration, Monitoring, Dashboard, and Last accessed.
Table 248: SSL Initiation Profile Page
Field | Function |
|---|---|
Name | Displays the name of the SSL initiation profile. |
Flow Tracing | Displays whether flow trace is enabled or disabled for troubleshooting policy-related issues. |
Protocol Version | Displays the accepted protocol SSL version. |
Preferred Cipher | Displays the preferred cipher which the SSH server uses to perform encryption and decryption function. |
Session Cache | Displays whether SSL session cache is enabled or not. |
Server Authentication Failure | Displays the action that will be performed if errors are encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry). |
Certificate Revocation | Displays the criterion for certificate revocation for the SSL initiation profile. |
Table 249: Create-Edit SSL Initiation Profile - Configuration Details
| Field | Function | Action |
|---|---|---|
| Policy Options | ||
Name | Specifies the name of the SSL initiation profile. | Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters. |
Flow Tracing | Specifies whether or not to enable flow tracing for this profile. | Select this option to enable flow trace for troubleshooting policy-related issues for this profile. |
Protocol Version | Specifies the accepted protocol SSL version. | Select the protocol from the dropdown list: None, All, TSLv1, TSLv1.1, or TSLv1.2. |
Preferred Cipher | Specify the cipher depending on their key strength. Ciphers are divided into the following categories.
| Select a preferred cipher from the dropdown list. |
Session Cache | Specifies whether SSL session cache is enabled or not. | Select this option to enable SSL session cache. |
| Certificate | ||
Trusted CA | Specify the set of ciphers the SSH server can use to perform encryption and decryption functions. If this option is not configured, the server accepts any supported suite that is available. | Select the trusted certificate authority profile from the dropdown list. |
Client Certificate | Specify a client certificate that is required to effectively authenticate the client.
| Select the appropriate client certificate from the dropdown list. |
| Actions | ||
Server Authentication Failure | Specifies if you want to ignore server authentication completely. In this case, SSL forward proxy ignores errors encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry). We do not recommend this option for authentication, because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause for dropped SSL sessions. | Select this option to ignore server authentication completely. |
CRL Validation | Specifies certificate revocation actions, whether CRL validation is enabled or disabled. | Select if you want to disable CRL validation. |
Action | Specifies the action if CRL information is not present.
| Select the action if CRL info is not present from the options: Allow session, Drop session, or None. |
Hold Instruction Code | Specifies if you want to hold the instruction code for this profile. | Select Ignore if you want to keep the instruction code on hold. |
Chassis Configuration Page Options
Chassis Configuration Page Options