You can configure confidentiality policies to enforce confidentiality, at a specified algorithm strength, for all sessions regardless of whether they request encryption.
Confidentiality policy only applies to the TD2, KRB5, LDAP, and PROXY mechanisms. See the comparison table in System Processing of Confidentiality and Integrity QOP Policies.
If a session subject to a Confidentiality QOP uses the Kerberos authentication mechanism (which does not support QOP policy), the system enforces the use of confidentiality, but ignores the QOP algorithm specified in the policy and uses the algorithm provided by Kerberos.
Confidentiality policies are based on the configuration of the LOW, MEDIUM, and HIGH QOP entries in the TdgssUserConfigFile.xml. You must enable these QOP entries in the configuration file before configuring a confidentiality policy. For information, see Working with Quality of Protection Options.
To configure a confidentiality QOP policy:
- Examine the TdgssUserConfigFile.xml and make sure that the QOP entries are enabled and set according to your requirements. See Working with Quality of Protection Options.
- Create the confidentiality QOP container. See Creating the conf-qops Container.
- Create the needed confidentiality QOP objects. See Creating Confidentiality QOP Objects in the Confidentiality QOP Container.
- Add members to each confidentiality QOP to define QOP effects. Adding Members to a Confidentiality QOP to Require QOP Usage.You can also apply the default confidentiality QOP by host group. See Requiring Confidentiality.
- Optionally remove members from a confidentiality QOP to remove QOP effects. See Removing Members from a Confidentiality QOP.