How do I prevent the use of weak SSL cipher suites in DS (All versions)?
The purpose of this article is to provide information on improving security in DS by preventing the use of weak SSL cipher suites and protocols. This article covers the admin port, replication port and connection handlers (HTTP, LDAP and LDAPS).
Preventing the use of weak SSL cipher suites
You can restrict the use of weak SSL cipher suites for strengthening security as needed, by setting the ssl-protocol and ssl-cipher-suite properties to include only the protocols or cipher suites you want to use for the particular connection handler or connector.
Note
The available protocols and cipher suites you can use depend on what is supported by your JVM. You should upgrade your JVM and/or install the Oracle® Java® JCE unlimited strength jars to use stronger ciphers. These jars can be downloaded from the following link for Java 8 and earlier: Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files Download. Java 9 and later uses the unlimited policy files by default.
- DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN "" --searchScope base "(objectclass=*)" supportedTLSCiphers supportedTLSProtocols
- DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN "" --searchScope base "(objectclass=*)" supportedTLSCiphers supportedTLSProtocols
- DS 6.x: $ ./ldapsearch --port 1389 --baseDN "" --searchScope base "(objectclass=*)" supportedTLSCiphers supportedTLSProtocols
See Cryptographic Keys for further information.
Admin port
The DS command line tools like dsconfig and dsrepl/dsreplication communicate with the DS server using the administration connection handler, which by default listens on all network interfaces on port 4444, and uses LDAPS. You should reconfigure the administration connection handler to remove the weak cipher suites and strengthen security as needed.
See How do I prevent the use of weak SSL cipher suites on the DS (All versions) administration port? for further information.
Replication port
The replication connector uses either the Replication Synchronization Provider (DS 7 and later) or the Crypto Manager (DS 6.x) for its SSL configuration. You should reconfigure the appropriate connector to remove the weak cipher suites and strengthen security as needed.
See How do I prevent the use of weak SSL cipher suites on the DS (All versions) replication port? for further information.
Connection handlers
Connection handlers are all configured in the same way using the dsconfig set-connection-handler-prop command. The only thing that changes is the handler-name option.
The three connection handlers you should be concerned with are:
- HTTP - this handler provides access to directory data over HTTP, including via the REST API.
- LDAP - this handler provides secure connections from client applications using StartTLS .
- LDAPS - this handler provides secure connections from client applications using LDAPS (LDAP/SSL).
See Cryptographic Keys for further information.
See Also
Related Training
N/A
Related Issue Tracker IDs
N/A