TLS Interaction with Applications

TLS is a standalone configuration. The user must configure a TLS client profile with certificates and trust anchors, and then assign the TLS client profile to the appropriate applications. When a TLS client profile is assigned to an application, the application does not send any PDUs until the TLS handshake has been successfully completed and the encryption ciphers have been negotiated between the TLS server and the TLS client.

After successful negotiation and handshake, the application is notified that TLS is operationally up. The application begins transmitting PDUs encrypted using TLS based on the agreed ciphers. If at any point the TLS becomes operationally down, the application will stop transmitting PDUs.

For example, a TLS connection with the PCEP application operates as follows:

1. A TLS client is configured under PCEP on the 7705 SAR.

2. PCEP stops sending clear text PDUs because a TLS client profile has been assigned and TLS is not ready to encrypt.

3. The TLS client begins the handshake.
4. Authentication occurs at the TLS layer.
5. The TLS server and TLS client negotiate ciphers.
6. Salts are negotiated for the symmetric key. A salt is a seed for creating AES encryption keys.
7. When negotiations are successfully completed, the handshake finishes, TLS becomes operationally up, and PCEP is notified.

8. PCEP begins transmitting PDUs that are encrypted using TLS.

Until TLS becomes operationally up, PCEP does not transmit any PDUs.