# RapidIdentity Administrators' and Users' Guide

##### SSL/TLS Profile

The SSL/TLS Profile menu item defines which SSL Profile should be used with RapidIdentity. Selecting this option opens a prompt to edit the profile.

The end result is that the rapididentity.properties tomcat.sslProfile value is updated.

Beginning in RapidIdentity version 2020.1.0, the following changes will apply to the Tomcat properties in rapididentity.properties:

• tomcat.sslCipherBlacklist has been deprecated.

• tomcat.sslProtocols can now include TLSv1.2, and TLSv1.1 ONLY.

• By default, RapidIdentity will use the list TLSv1.2 for version 2020.1.0. In order to use TLSv1.1 with 2020.1, you will need to provide your own cipher suites.

• tomcat.sslCipherWhitelist has been added. This allows you to specify a list of TLS cipher suites to enable. If this list is provided, it will override the default list.

### Note

The whitelist will be a comma-separated list, just like the blacklist was. Examples:

tomcat.sslProtocols=TLSv1.2

tomcat.sslCipherWhitelist=TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

RapidIdentity will use a secure set of cipher suites by default, including:

• For TLSv1.2:

### Note

ONLY included if TLSv1.2 is enabled and there is no whitelist - default behavior

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

• For TLSv1.1:

### Note

ONLY if TLSv1.1 is enabled and there is no whitelist - default behavior, and ONLY included in later builds of 2019.12.15.x and 2020.x.

TLSv1.1 is not recommended.

• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

###### Create an SSL Profile

There is no limit to the number of SSL Profiles that can be created.

### Note

A new SSL profile will contain a new, self-signed certificate by default.

Follow these steps to create a new SSL Profile.

1. From the Configuration module, select SSL Management from the Security section.

2. From the SSL Profiles workspace, click Add Profile+.

3. Enter a Name and an optional Description.

1. If using a domain name, Insert an asterisk in from of the domain name to create a wildcard name.

4. Click Save.

5. The newly created SSL Profile will be available in the SSL Profiles workspace for further configuration.