Server Settings

Enables you to configure the protocol, endpoint, and TLS settings for the server running the Enterprise Server Common Web Administration service.
Protocol
Protocol used to connect to endpoint.
Hostname or IP Address
The hostname or IP address used by the listener to accept incoming client requests. The IP address can be either IPv4 or IPv6.
Note: You must restart the ESCWA service if you modify this field.

Specifying 0.0.0.0 binds on all available IPv4 addresses. Specifying :: binds on all available IPv6 addresses. Specifying * binds on all available IPv4 and IPv6 addresses.

Port
This must be a valid port or an asterisk * which indicates that the address is dynamically assigned for the listener when it starts.
Enable TLS
Indicates whether or not the ESCWA server has Transport Layer Security (TLS). This will secure communications between the client and ESCWA.
Certificate File
Location, on disk, of the certificate. If multiple certificates are used, separate the paths with a semicolon ';'.
Keyfile
Location, on disk, of the keyfile. If multiple keyfiles are used, separate the paths with a semicolon ';'
Keyfile Password
The password for the keyfile is specified here. If multiple keyfiles are used, separate the passwords with four colons '::::'.

Advanced

Certificate Password
If the certificate is locked with a password, specify it here. If multiple certificates are used, separate them with two colons '::'.
Client Authentication
Accept all clients
Allow all clients to communicate with the server without being checked for an SSL certificate.
Request client certificate, and verify if present
Requests the client for a certificate, and to verify the returned certificate. If the client does not return a certificate, communication continues between the client and server. If a certificate is returned and it fails to verify, communication stops.
Note: If you select this, you must specify the CA root certificates file.
Require client certificate, and verify
Always require a client certificate and to verify it. This ensures that the client is trusted. If a certificate is not returned or it cannot be verified, communication between the client and server is stopped.
Note: If you select this, you must specify the CA root certificates file.
Client CA Root Certificates File
If you require clients to have certificates, this file must contain the trusted root certificates.
Note: Enterprise Developer supports DER, CER, PKCS #7, PKCS #8, PKCS #12 and PEM certificate file formats and PKCS #8, PKCS #12 and PEM for key file formats.
Honor Server Cipher List
By default, the TLS honor server cipher list is checked. This forces clients to use the protocols and cipher suites specified in order of their priority.
Note: If the TLS protocols and Cipher suites list are not specified then it uses the default. See Configuring a TLS Protocols List and Configuring a Cipher Suites List for more information.
Protocols
The list of TLS protocols to be used, in order of precedence. Each specified protocol is preceded by one of the following operators:
!
Exclude. Permanently exclude the protocol and ignore any subsequent attempt to add the protocol back in.
+
Add. Add the protocol to the existing collection.
-
Delete. Delete the protocol from the existing collection.
For example, to only use TLS1.1 and TLS1.2, type -ALL+TLS1.1+TLS1.2
Note: The Protocols field now supports TLS1.3.

You must use @SECLEVEL=0 for TLS 1.1 and earlier. See Security Levels for more information.

Cipher Suites
Specifies the priority of cipher suites to be used. The cipher suite priority is formed using a combination of keywords and keyword modifiers for a space-separated string:
!
Exclude. Permanently exclude the cipher suite and ignore any subsequent attempt to add the cipher suite back in.
+
Add. Add the cipher suite to the end of the collection.
-
Delete. Delete the cipher suite from the existing collection.
By default, the following cipher suite list is used:
kEECDH+ECDSA kEECDH kEDH HIGH MEDIUM +3DES +SHA !RC4 !aNULL !eNULL !LOW !MD5 !EXP
To determine the cipher suites supported by your version of OpenSSL, type the following from a command prompt:
openssl ciphers -v 'ALL:COMPLEMENTOFALL'
TLS1.3 Cipher Suites
The list of cipher suites to be used with TLS1.3 separated by a colon ':'. For example:
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
Diffie-Hellman Minimum Group Size
Specifies the size in bits of the modulus length of the Diffie-Hellman group:
  • Default
  • 512 bit
  • 1024 bit
  • 2048 bit
  • 4096 bit
Note: Micro Focus recommends a minimum modulus size of 2048 bits.
Key Exchange Cipher Groups
The key exchange cipher groups to be used, separated by semicolons ';'. For example:
secp521r1;secp384r1;prime256v1;secp256k1;secp224r1;secp224k1;prime192v1
TLS1.3 Middlebox Compatibility
Enable workaround for TLS1.3 on networks with incompatible middleboxes, for example, routers and firewalls. Disabling this can improve performance on compatible networks but might result in dropped connections otherwise.
.NET Admin Host
The endpoint that ESCWA will communicate with for ES for .NET. This should point to a ES for .NET Admin Server. This administers, monitors, and controls managed regions.
External Communications Response Timeout
Specify, in seconds, how long ESCWA will wait for an external communications response before timing out. This timeout is used to communicate with the Communications Process, Web Services, J2EE Listener, ES for .NET, and MFA. Actual timeout might be a few seconds longer than specified.
Default Locale
Use this to specify the default locale of the ESCWA interface. If set to Browser Determined the user's browser locale will be used.

See Security Levels for more information.