tls
config>system>security
This command enables the context to configure TLS parameters.
n/a
cert-profile profile-name [create]
no cert-profile profile-name
config>system>security>tls
This command creates a new TLS certificate profile or specifies an existing certificate profile. The certificate profile contains the certificates that are sent to the TLS peer to authenticate itself. The TLS server must send this information. The TLS client can optionally send this information upon request from the TLS server.
The no form of the command deletes the specified TLS certificate profile.
n/a
the name of the TLS certificate profile, up to 32 characters in length
entry entry-id [create]
no entry entry-id
config>system>security>tls>cert-profile
This command configures an entry for the TLS certificate profile. A certificate profile can have up to eight entries. Currently, TLS uses the entry with the lowest ID number when responding to server requests.
The no form of the command deletes the specified entry.
n/a
the identification number of the TLS certificate profile entry
cert cert-filename
no cert
config>system>security>tls>cert-profile>entry
This command specifies the filename of an imported certificate for the cert-profile entry.
The no form of the command removes the certificate.
no cert
the filename of the TLS certificate, up to 95 characters in length
key key-filename
no key
config>system>security>tls>cert-profile>entry
This command specifies the filename of an imported key for the cert-profile entry.
The no form of the command removes the key.
no key
the filename of the key, up to 95 characters in length
[no] send-chain
config>system>security>tls>cert-profile>entry
This command enables the sending of certificate authority (CA) certificates and enables the context to configure send-chain information.
By default, the system only sends the TLS client certificate specified by the cert command. This command allows the system to send additional CA certificates to the peer. The certificates must be in the chain of certificates specified by the config>system>security>pki>ca-profile command. The specification of the send-chain is not necessary for a working TLS profile if the TLS peer has the CA certificate used to sign the client certificate in its own trust anchor.
For example, with a TLS client running on the 7705 SAR, the ROOT CA certificate resides on the TLS server, but the subsequent SUB-CA certificate needed to complete the chain resides within the 7705 SAR. The send-chain command allows these SUB-CA certificates to be sent from the 7705 SAR to the peer to be authenticated using the ROOT CA certificate that resides on the peer.
The no form of the command disables the send-chain.
no send-chain
[no] ca-profile name
config>system>security>tls>cert-profile>entry>send-chain
This command specifies that a CA certificate in the specified ca-profile is to be sent to the peer.
Up to seven configurations of this command are allowed in the same entry.
The no form of the command disables the transmission of a CA certificate from the specified CA profile.
n/a
the name of an existing CA
[no] shutdown
config>system>security>tls>cert-profile
This command disables the certificate profile. When the certificate profile is disabled, it will not be sent to the TLS server.
The no form of the command enables the certificate profile and allows it to be sent to the TLS server.
shutdown
client-cipher-list name [create]
no client-cipher-list name
config>system>security>tls
This command creates a cipher list or specifies an existing list that the client sends to the server in the client Hello message. The list contains ciphers that are supported and preferred by the 7705 SAR to be used in the TLS session. The server matches this list against the server cipher list. The most preferred cipher found in both lists is chosen.
The no form of the command deletes the specified cipher list.
n/a
the name of the client cipher list, up to 32 characters in length
cipher index name cipher-suite-code
no cipher index
config>system>security>tls>client-cipher-list
This command configures the TLS cipher suite code to be negotiated by the server and client.
The no form of the command removes the cipher suite code.
n/a
the index number of the cipher suite code, which indicates the position of the code in the negotiation list (the lower the index number, the higher the priority of the code)
tls13-cipher index name cipher-suite-code
no tls13-cipher index
config>system>security>tls>client-cipher-list
This command configures the TLS 1.3 supported ciphers that are used by the client and server.
The no form of the command removes the cipher suite code.
n/a
the index number of the TLS 1.3 cipher suite code, which indicates the position of the code in the negotiation list (the lower the index number, the higher the priority of the code)
specifies the cipher suite code
client-group-list name [create]
no client-group-list name
config>system>security>tls
This command creates a client group list or specifies an existing group list that the client sends in a client Hello message. The list contains group suite codes configured with the tls13-group command.
The no form of the command removes the client group list.
n/a
the name of the client group list, up to 32 characters
tls13-group index name group-suite-code
no tls13-group index
config>system>security>tls>client-group-list
This command configures the TLS 1.3 supported group suite codes sent by the client in the Hello message.
The 7705 SAR supports the use of Elliptic-curve Diffie-Hellman Ephemeral (ECDHE) groups.
The no form of the command removes the group suite code.
n/a
the index number of the group suite code, which indicates the position of the code in the negotiation list (the lower the index number, the higher the priority of the code)
specifies the group suite code
client-signature-list name [create]
no client-signature-list name
config>system>security>tls
This command creates a client signature list or specifies an existing signature list that the client sends in a client Hello message.
The no form of the command removes the client signature list.
n/a
the name of the client signature list, up to 32 characters
tls13-signature index name signature-suite-code
no tls13-signature index
config>system>security>tls>client-signature-list
This command configures the TLS 1.3 supported signature suite codes sent in the client Hello message.
The no form of the command removes the signature suite code.
n/a
the index number of the TLS 1.3 signature suite code, which indicates the position of the code in the negotiation list (the lower the index number, the higher the priority of the code)
specifies the signature suite code
client-tls-profile name [create]
no client-tls-profile name
config>system>security>tls
This command creates a TLS client profile or specifies an existing client profile to be assigned to applications for encryption. Up to 16 TLS client profiles can be configured.
The no form of the command deletes the TLS client profile.
n/a
the name of the TLS client profile, up to 32 characters in length
cert-profile name
no cert-profile
config>system>security>tls>client-tls-profile
This command assigns an existing TLS certificate profile to be used by the TLS client profile. This certificate is sent to the server for authentication of the client and public key.
The no form of the command removes the TLS certificate profile assignment.
no cert-profile
the name of the TLS certificate profile
cipher-list name
no cipher-list
config>system>security>tls>client-tls-profile
This command assigns an existing cipher list to be used by the TLS client profile for negotiation in the client Hello message.
no cipher-list
the name of the cipher list
group-list name
no group-list
config>system>security>tls>client-tls-profile
This command assigns an existing TLS 1.3 group list to the TLS client profile.
The no form of the command removes the group list from the client profile.
no group-list
the name of the group list
protocol-version TLS version
no protocol-version
config>system>security>tls>client-tls-profile
This command configures the TLS version to be negotiated between the client and server.
When configured, the client adds the specified version as a supported version in its Hello message to the server. If tls-version-all is specified, the client adds both TLS 1.2 and TLS 1.3 as supported versions in its Hello message.
The no form of the command reverts to the default TLS version.
tls-version12
specifies the TLS version to include in the client Hello message
[no] shutdown
config>system>security>tls>client-tls-profile
This command disables the client TLS profile.
The no form of the command enables the client TLS profile.
shutdown
signature-list name
no signature-list
config>system>security>tls>client-tls-profile
This command assigns an existing TLS 1.3 signature list to the TLS client profile.
The no form of the command removes the signature list from the client profile.
no signature-list
the name of the signature list
trust-anchor-profile name
no trust-anchor-profile
config>system>security>tls>client-tls-profile
This command assigns an existing trust anchor profile to be used by this TLS client profile to authenticate the server.
The no form of the command removes the trust anchor profile from the client profile.
no trust-anchor-profile
the name of the trust anchor profile
trust-anchor-profile name [create]
no trust-anchor-profile name
config>system>security>tls
This command creates a trust anchor profile or specifies an existing trust anchor profile to be used in the TLS client profile. The trust anchor is used for authentication of the server certificate. Up to 16 trust anchor profiles can be configured, with up to 8 trust anchors in each profile.
n/a
the name of the trust anchor profile, up to 32 characters
[no] trust-anchor ca-profile-name
config>system>security>tls>trust-anchor-profile
This command configures a trust anchor with a CA profile used by the TLS profile. Up to eight trust anchors can be configured under the TLS profile.
n/a
the name of the TLS trust anchor