How does QAS encrypt data on the network? What encryption does QAS use?
QAS uses the same high-security Kerberos authentication that Windows clients use. QAS use the highest encryption that is available from the Domain Controllers.
When using Windows 2000/2003, this is Kerberos HMAC-RC4. When using VAS 3.3.2+ and Windows 2008 Domain Controllers, AES256 or AES128 is used.
All important LDAP queries are secured (for data integrity and privacy) using GSS-SASL (Some LDAP traffic such as defaultNamingContext and highestCommittedUSN queries use anonymous bind).
ldap-gsssasl-security-layers = <security level>
Default value: 0
By default, when communicating with Active Directory, the QAS API automatically encrypts LDAP traffic for data integrity and privacy. This option allows the SASL security layer to be set to a specific level. With the default value of 0, all traffic will be secured using the highest security that is supported by the LDAP server. If non-zero, the value interpreted as a bit mask as described by RFC 2222: 1 = No security layer, 2 = Integrity protection, 4 = Privacy protection. The following example shows how to turn off security. This may be useful for debugging purposes, or to reduce load when there is no need for network integrity or privacy.