background image

 

Integrated SSL Scanning 

 

Page 7 

Finjan proprietary and confidential 

 

Figure 3: Certificate Details 

In order to prevent the end-users from getting this warning message, 
system administrators can do one of the following: 

 

Install Finjan’s certificate on the end-user’s browser as a trusted root 
certificate authority. 

 

Install a certificate on all the Scanning Servers, issued by the 

organization’s CA root certificate, which is already trusted by all users. 

 NOTE: Using a certificate from a trusted CA (such as VeriSign) 

will not prevent the certificate validation check, as it 
does not contain the remote HTTPS server’s host name. 

2.3.1

 

Installing Finjan certificate on the end-user’s 

browser 

The following procedures are relevant for Vital Security Software Versions 
8.5.0, 8.5.0-M01 and 9.0: 

 

To install Finjan’s certificate as a trusted root CA: 

1.

 

Paste the certificate below into an empty file and save it as Finjan.cer 

Содержание NG-5000

Страница 1: ...Software Version 9 0 Integrated SSL Scanning...

Страница 2: ...of Vulnerability are trademarks or registered trademarks of Finjan Sophos is a registered trademark of Sophos plc McAfee is a registered trademark of McAfee Inc Kaspersky is a registered trademark of...

Страница 3: ...ts 1 Introduction 1 2 HTTPS Scanning 1 2 1 On the Fly Certificate Generation 1 2 2 Certificate Validation 2 2 3 SSL Certificate Errors 6 3 HTTPS Policies 11 4 Configuring HTTPS Support 11 4 1 HTTPS Co...

Страница 4: ...injan also provides certificate validation functionality This ensures that corporate policies regarding certificates are enforced by automatically validating each certificate and ensuring that the cha...

Страница 5: ...ital certificate lists are updated via Finjan security updates These lists include the required trusted certificate authorities as well as the Certificate Revocation Lists CRLs Certificate validation...

Страница 6: ...means that the actual signature value could not be determined rather than it not matching the expected value CRL signature failure The signature of the certificate is invalid Certificate is not yet v...

Страница 7: ...Structure Field Description Certificate signature cannot be decrypted The certificate signature could not be decrypted meaningful for RSA keys Cannot decode issuer public key The public key in the cer...

Страница 8: ...rusted for the specified purpose Certificate rejected The root CA is marked to reject the specified purpose Subject issuer mismatch The current candidate issuer certificate was rejected because its su...

Страница 9: ...e is before the current time 2 3 SSL Certificate Errors When the end user opens the HTTPS session the Scanning Server has to encrypt and decrypt the data between the end user and the Scanning Server T...

Страница 10: ...ervers issued by the organization s CA root certificate which is already trusted by all users NOTE Using a certificate from a trusted CA such as VeriSign will not prevent the certificate validation ch...

Страница 11: ...KiCKy JqpuLU0MuXsOOQ END CERTIFICATE 2 Install the certificate on the browser To install the certificate on Internet Explorer a In the control panel click Internet Options b Click the Content tab and...

Страница 12: ...Copy this into a separate text file to send to a certificate authority 6 Once you have a certificate back send it to your end users to install on their browsers 7 In the Limited Shell enter the comma...

Страница 13: ...dy configured to trust the organizations root CA and there is no need to configure anything for the users To install the root certificate on the Scanning Server 1 Connect to the Management Console via...

Страница 14: ...In addition to the above two policies the user can configure additional policies and rules The security policies apply only to the way that the scanning server handles the certificate validation bypas...

Страница 15: ...is disabled by default This protocol is non secure and should not be used unless there are compatibility problems Allow SSLv3 Enables support for SSLv3 protocol This option is enabled by default Allow...

Страница 16: ...is timed out if not responsive Max HTTPS Transactions Backlog Defines the maximum number of outstanding connection requests to be served by the system After this number is reached the system is timed...

Страница 17: ...to configure proxy settings for the users This can be done by using one of the following methods Layer 4 Switch By using a third party layer 4 switch it is possible to redirect all traffic destined to...

Страница 18: ...still mandatory to install the SSL certificate of the Scanning Server on the end user s PC in order to prevent the security warnings When the end user browses an HTTPS site the Scanning Server generat...

Отзывы: