Transport security

Access Server Connection

TLS 1.2 connections are used for the connection between clients and the Access Server. The following minimum cipher suites are used by the clients:
Cipher version
TLS v.1.2
Key Exchange
ECDH (Elliptic-curve Diffie-Hellman)
Authentication
RSA
Encoding
AES-256
Mac (Message Authentication Code)
SHA-384
These connections can be easily verified by looking at the application logs or by using Wireshark.
Access Servers use an SSL server certificate signed using SHA-256 with RSA by a well-known certificate authority.

Relay Server Connection

The End-to-end encryption securing remote access connections between Control Center and Runtime uses an AES-256 CBC with a session key securely exchanged through a separate Access Server connection during the handshake phase. Since the Relay Server never participates to this handshake and is used after the session key has been exchanged, it cannot decode the incoming traffic and the connection is truly end-to-end secure.
The underlying transport can be TCP (used for performance reasons) or TLS1.2 (as fallback for compatibility with firewalls requiring a TLS connection). Confidentiality is not guaranteed by TLS in this case, but by the upper-level AES-256 encapsulation.
For security reasons, the TCP transport can be disabled in favor of the TLS1.2 connection.

Web API Connection

All Frontends use HTTPS for web APIs. Web servers use an SSL server certificate signed using SHA-256 with RSA by a well-known certificate authority.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.