How To

How do I prevent the use of weak SSL cipher suites in DS/OpenDJ?

Last updated Mar 14, 2019

The purpose of this article is to provide information on improving security in DS/OpenDJ by preventing the use of weak SSL cipher suites and protocols. This article covers the admin port, replication port and connection handlers (HTTP, LDAP and LDAPS).


Preventing the use of weak SSL cipher suites

You can restrict the use of weak SSL cipher suites for strengthening security as needed, by setting the ssl-protocol and ssl-cipher-suite properties to include only the protocols or cipher suites you want to use for the particular connection handler or connector. 

Note

The available protocols and cipher suites you can use depend on what is supported by your JVM. You should upgrade your JVM and/or install the Oracle® Java® JCE unlimited strength jars to use stronger ciphers. These jars can be downloaded from the following link for Java 8 and earlier: Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files Download. Java 9 and later uses the unlimited policy files by default.

To list the currently supported protocols and cipher suites, read the supportedTLSProtocols and supportedTLSCiphers attributes of the root DSE. For example:

$ ./ldapsearch --port 1389 --baseDN "" --searchScope base "(objectclass=*)" supportedTLSCiphers supportedTLSProtocols

See Administration Guide › To List Protocols and Cipher Suites for further information.

Admin port

The DS/OpenDJ command line tools like dsconfig and dsreplication communicate with the DS/OpenDJ server using the administration connection handler, which by default listens on all network interfaces on port 4444, and uses LDAPS. You should reconfigure the administration connection handler to remove the weak cipher suites and strengthen security as needed.

See How do I prevent the use of weak SSL cipher suites on DS/OpenDJ (All versions) administration port? for further information.

Replication port

The replication connector uses the Crypto Manager for its SSL configuration. You should reconfigure the Crypto Manager to remove the weak cipher suites and strengthen security as needed.

See How do I prevent the use of weak SSL cipher suites on DS/OpenDJ (All versions) replication port? for further information.

Connection handlers

Connection handlers are all configured in the same way using the dsconfig set-connection-handler-prop command. The only thing that changes is the handler-name option. 

The three connection handlers you should be concerned with are:

  • HTTP - this handler provides access to directory data over HTTP, including via the REST API.
  • LDAP - this handler provides secure connections from client applications using StartTLS .
  • LDAPS - this handler provides secure connections from client applications using LDAPS (LDAP/SSL).

See Administration Guide › To Restrict Protocols and Cipher Suites for information on configuring connection handlers to remove weak cipher suites and strengthen security as needed.

See Also

LDAPS client connections fail with SSLHandshakeException: no cipher suites in common in DS 5 and OpenDJ 3.x

Administration Guide › LDAP Client Access Over SSL

Administration Guide › RESTful Client Access Over HTTP

Administration Guide › TLS Protocols and Cipher Suites

Server Javadoc › Interface CryptoManager

Related Training

N/A

Related Issue Tracker IDs

N/A



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.

Recommended Books

Loading...