How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I disable TLS Client-Initiated Renegotiation in IDM (All versions)?

Last updated Apr 8, 2021

The purpose of this article is to provide information on disabling secure client-initiated renegotiation in IDM. You may want to do this to address findings from a vulnerability scan.

Disabling TLS renegotiation

Java® includes the jdk.tls.rejectClientInitiatedRenegotiation system property, which controls TLS client-initiated renegotiation.

You can disable client-initiated renegotiation using the OPENIDM_OPTS environment variable:

  • On Unix® and Linux® systems: $ cd /path/to/idm/ $ export OPENIDM_OPTS="-Djdk.tls.rejectClientInitiatedRenegotiation=true" $ ./
  • On Microsoft® Windows® systems: C:\> cd \path\to\idm C:\path\to\idm> set OPENIDM_OPTS=-Djdk.tls.rejectClientInitiatedRenegotiation=true C:\path\to\idm> startup.bat

You can also edit the or startup.bat files to update the default OPENIDM_OPTS values.

See Also

How do I limit the supported secure protocols and cipher suites in IDM 5.x and 6.x?

How do I change the JVM heap size for IDM (All versions)?

Administering and configuring IDM

Security Advisories

Setup Guide › Configure the Server

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.