Secure Global Desktop Administration Guide > Security > Selecting a cipher suite for secure connections

Selecting a cipher suite for secure connections

Sun Secure Global Desktop Software allows you to specify the cipher suite used to secure connections with the Security Pack (SSL/TLS connections). The following suites are supported:

Cipher suite	Client preference	OpenSSL name	JSSE name
RSA_WITH_AES_256_CBC_SHA	1	AES256-SHA	TLS_RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_CBC_SHA	2	AES128-SHA	TLS_RSA_WITH_AES_128_CBC_SHA
RSA_WITH_3DES_EDE_CBC_SHA	3	DES-CBC3-SHA	SSL_RSA_WITH_3DES_EDE_CBC_SHA
RSA_WITH_RC4_128_SHA	4	RC4-SHA	SSL_RSA_WITH_RC4_128_SHA
RSA_WITH_RC4_128_MD5	5	RC4-MD5	SSL_RSA_WITH_RC4_128_MD5
RSA_WITH_DES_CBC_SHA	6	DES-CBC-SHA	SSL_RSA_WITH_DES_CBC_SHA

Connections between clients and Secure Global Desktop servers

To specify the cipher suites used for connections between clients and Secure Global Desktop servers, run the following command:

tarantella config edit --tarantella-config-security-ciphers cipher_list

You must stop the Secure Global Desktop server before running this command.
The cipher_list is a colon separated list of cipher suites. You must use the OpenSSL name from the table above.
The order of the cipher suites does not matter, as it is the client that determines which suite will be used, based on the client preference order shown in the table above.
The default setting is AES256-SHA:RC4-MD5.
The default setting means that the Sun Secure Global Desktop Client and the Native Client will use AES (Advanced Encryption Standard) with a 256-bit key. The Java™ technology client will use RC4 with a 128-bit key. You must include the RC4-MD5 cipher suite if you are using the Java technology client, because it does not support AES.

Connections between Secure Global Desktop servers

To specify the cipher suites used for secure intra-array communication, run the following command:

tarantella config edit --tarantella-config-security-peerssl-ciphers cipher_list

You must stop all Secure Global Desktop servers in the array before running this command.
The cipher_list is a colon separated list of cipher suites. You must use the JSSE (Java™ Secure Socket Extension) name from the table above.
Although you can specify a list, this is an array-wide setting and so the first cipher in the list will always be used.
The default setting is AES256-SHA.
The cipher suite is only used if you have enabled secure connections between Secure Global Desktop servers.

About cipher suites

A cipher suite is a set of cryptographic algorithms used to:

protect information required to create shared keys (key exchange);
encrypt messages exchanged between clients and servers (bulk encryption); and
generate message hashes and signatures to ensure the integrity of a message (message authentication).

A cipher suite specifies one algorithm for each of these tasks. For example, the RSA_WITH_RC4_128_MD5 cipher suite uses RSA for key exchange, RC4 with a 128-bit key for bulk encryption, and MD5 for message authentication.

Related topics
Securing connections between Secure Global Desktop servers Getting started with the Sun Secure Global Desktop Security Pack Which clients are supported?