Configure TLS Cipher Suite for applications

Enterprise Application Access (EAA) allows users to have a secure network connection using TLS 1.1 or higher to access their applications on the application server. You can select a default or custom cipher suite to be used for TLS client-server handshake before starting a TLS secure communication. The default strong cipher suite is recommended. You can also use custom cipher suite for the TLS handshake between the user's computer and the server (application server) before establishing a secure network connection. It applies to access and client-access apps, and not to SaaS apps.

A cipher suite is a set of algorithms that includes a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm. You can refer to cipher suite wiki for TLS 1.0 -1.2 handshake. There are many cipher suites and some are more secure than others.
Each cipher suite has a unique name that is used to identify it and to describe the algorithmic contents of it. Each segment in a cipher suite name stands for a different algorithm or protocol. An example of a cipher suite name: 1TLSv1.2-** ECDHE-RSA-AES128-GCM-SHA256`. The name can be interpreted as:

  • TLSv1.2 defines the protocol that this cipher suite is for and the version number.

  • ECDHE-RSA indicates the key exchange algorithm being used. The key exchange algorithm is used to determine if and how the client and server authenticates during the handshake.

  • AES128-GCM indicates the block cipher being used to encrypt the message stream, together with the block cipher mode of operation.

  • SHA256 indicates the message authentication algorithm which is used to authenticate a message.

Before establishing a TLS secure connection, the client and server have a TLS handshake. During the TLS handshake, the client sends the predefined ciphers to the server in the ClientHello message. The server chooses the matching cipher (if available) and responds back with a ServerHello message that includes the chosen cipher suite and the session ID. Next the server sends a digital certificate to verify it's identity to the client. If they are not using pre-shared keys, the client sends an encrypted message to the server that enables the client and server to compute secret key are used during exchanges. After successfully verifying the authentication of the server and, if needed, exchanging the secret key, the client sends a message to signal that it is done with the handshake process. After receiving this message, the server sends a message that confirms that the handshake is complete. Now the client and the server are in agreement on which cipher suite to use to communicate with each other. This is how cipher suites are negotiated and SSL handshake is established between the client and the server.

If you make any changes to your existing apps, you need to add a TLS cipher suite before deploying the application. Otherwise, existing apps continue to work without this change.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Applications > Applications.

  3. Select your application to open it.

  4. In Advanced > Configure TLS Cipher suite select one of the following for Cipher suite configuration for the TLS handshake between the user and the application server:

  • Default. Use the default strong cipher suite as recommended by Akamai. Only TLS version 1.2 strong ciphers are supported.

  • Custom. Select a cipher suite from the list. If you select a cipher suite that has a weak cipher, you get a warning when you deploy the application. A weak cipher is one that has any vulnerabilities and the security can be compromised. Supports both TLS version 1.1 and TLS version 1.2 ciphers.

  1. Click Save and Deploy.