How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I prevent the use of weak SSL cipher suites on the DS (All versions) administration port?

Last updated Jun 15, 2021

The purpose of this article is to provide administrative guidance to improve security on the DS administration interface.


Improving security on the DS admin interface

The DS command line tools like dsconfig and dsrepl/dsreplication communicate with the DS server using the administration connection handler, which by default listens on all network interfaces on port 4444, and uses LDAPS.

This can cause issues. You should reconfigure the administration connection handler to remove the weak cipher suites and improve security.

Note

The available protocols and cipher suites you can use depend on what is supported by your JVM. You should upgrade your JVM and/or install the Oracle® Java® JCE unlimited strength jars to use stronger ciphers. These jars can be downloaded from the following link for Java 8 and earlier: Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files Download. Java 9 and later uses the unlimited policy files by default.

Reconfiguring the administration connection handler

You can restrict the list of protocols and cipher suites used by setting the ssl-protocol and ssl-cipher-suite connection handler properties to include only the protocols or cipher suites you want. For example, to restrict the cipher suites to TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 use the dsconfig set-administration-connector-prop command as shown in the following example.

  • DS 7.1 and later: $ ./dsconfig set-administration-connector-prop --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
  • DS 7: $ ./dsconfig set-administration-connector-prop --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
  • Pre-DS 7: $ ./dsconfig set-administration-connector-prop --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 --trustAll --no-prompt

List Protocols and Cipher Suites

To list the available protocols and cipher suites, read the supportedTLSProtocols and supportedTLSCiphers attributes of the root DSE using the following command:

  • DS 7.1 and later: $ ./ldapsearch --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --baseDN "" --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --useSSL --searchScope base "(&)" supportedTLSCiphers supportedTLSProtocols
  • DS 7: $ ./ldapsearch --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --baseDN "" --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --useSSL --searchScope base "(&)" supportedTLSCiphers supportedTLSProtocols
  • Pre-DS 7: $ ./ldapsearch --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "" --trustAll --useSSL --searchScope base "(&)" supportedTLSCiphers supportedTLSProtocols

See Also

How do I prevent the use of weak SSL cipher suites on the DS (All versions) replication port?

LDAP Access

TLS Settings

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.