Configure security settings

Symphony’s SSL functionality can be configured to suit specific security requirements.

In this section, we implement typical security settings, which enable server authentication and use a common SSL configuration for all servers and clients.

  1. Open the ego.conf file on the management host using a text editor. The location of the file is defined in the EGO_CONFDIR environment variable.
  2. Set the EGO_TRANSPORT_SECURITY parameter to SSL.
  3. Set EGO_DEFAULT_TS_PARAMS.

    For example:

    • (Linux/UNIX)

      EGO_DEFAULT_TS_PARAMS="SSL[CERTIFICATE=/etc/symcert.pem,CIPHER=EDH-RSA-DES-CBC3-SHA,PRIVATE_KEY=/etc/symkey.pem]"

    • (Windows)

      EGO_DEFAULT_TS_PARAMS="SSL[CERTIFICATE=C:\xxc\newcert.pem,CIPHER=EDH-RSA-DES-CBC3-SHA,PRIVATE_KEY=C:\xxc\newkey.pem]"

    Note:

    For typical security requirements, do not define EGO_KD_TS_PARAMS and ESC_TS_PARAMS. In this case, VEMKD and the Service Controller will use the SSL parameters defined in EGO_DEFAULT_TS_PARAMS.

  4. Assign an SSL port number to the EGO_KD_TS_PORT parameter.
  5. Open the ego.conf file on the client host using a text editor.
  6. For EGO_CLIENT_TS_PARAMS, enable server authentication.

    For example:

    • (Linux/UNIX)

      EGO_CLIENT_TS_PARAMS="SSL[CAFILE=/home/.../cacert.pem, CIPHER=EDH-RSA-DES-CBC3-SHA,SERVER_AUTH={myCN}"

    • (Windows)

      EGO_CLIENT_TS_PARAMS="SSL[CIPHER=EDH-RSA-DES-CBC3- SHA,CAFILE=C:\xxc\demoCA\cacert.pem,SERVER_AUTH={myCN}]"

  7. Open the sd.xml file on the management host using an XML editor.
  8. Set the SD_SDK_TRANSPORT parameter to TCPIPv4SSL (SSL driver on TCP/IPv.4).
  9. Set the SD_SDK_TRANSPORT_ARG parameter to $EGO_DEFAULT_TS_PARAMS.
  10. Set SSM_SDK_TRANSPORT parameter to TCPIPv4SSL (SSL driver on TCP/IPv.4).
  11. Set SSM_SDK_TRANSPORT_ARG parameter to $EGO_DEFAULT_TS_PARAMS.
  12. Set the SDK_TRANSPORT parameter to TCPIPv4SSL (SSL driver on TCP/IPv.4).
  13. Set SDK_TRANSPORT_ARG to $EGO_CLIENT_TS_PARAMS.