How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I prevent the use of weak SSL cipher suites in DS (All versions)?

Last updated Jan 12, 2023

The purpose of this article is to provide information on improving security in DS by preventing the use of weak SSL cipher suites and protocols. This article covers the admin port, replication port and connection handlers (HTTP, LDAP and LDAPS).


Preventing the use of weak SSL cipher suites

You can restrict the use of weak SSL cipher suites for strengthening security as needed, by setting the ssl-protocol and ssl-cipher-suite properties to include only the protocols or cipher suites you want to use for the particular connection handler or connector.

Note

The available protocols and cipher suites you can use depend on what is supported by your JVM. You should upgrade your JVM and/or install the Oracle® Java® JCE unlimited strength jars to use stronger ciphers. These jars can be downloaded from the following link for Java 8 and earlier: Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files Download. Java 9 and later uses the unlimited policy files by default.

To list the currently supported protocols and cipher suites, read the supportedTLSProtocols and supportedTLSCiphers attributes of the root DSE. For example:

  • DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN "" --searchScope base "(objectclass=*)" supportedTLSCiphers supportedTLSProtocols
  • DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN "" --searchScope base "(objectclass=*)" supportedTLSCiphers supportedTLSProtocols
  • DS 6.x: $ ./ldapsearch --port 1389 --baseDN "" --searchScope base "(objectclass=*)" supportedTLSCiphers supportedTLSProtocols

See Cryptographic Keys for further information.

Admin port

The DS command line tools like dsconfig and dsrepl/dsreplication communicate with the DS server using the administration connection handler, which by default listens on all network interfaces on port 4444, and uses LDAPS. You should reconfigure the administration connection handler to remove the weak cipher suites and strengthen security as needed.

See How do I prevent the use of weak SSL cipher suites on the DS (All versions) administration port? for further information.

Replication port

The replication connector uses either the Replication Synchronization Provider (DS 7 and later) or the Crypto Manager (DS 6.x) for its SSL configuration. You should reconfigure the appropriate connector to remove the weak cipher suites and strengthen security as needed.

See How do I prevent the use of weak SSL cipher suites on the DS (All versions) replication port? for further information.

Connection handlers

Connection handlers are all configured in the same way using the dsconfig set-connection-handler-prop command. The only thing that changes is the handler-name option.

The three connection handlers you should be concerned with are:

  • HTTP - this handler provides access to directory data over HTTP, including via the REST API.
  • LDAP - this handler provides secure connections from client applications using StartTLS .
  • LDAPS - this handler provides secure connections from client applications using LDAPS (LDAP/SSL).

See Cryptographic Keys for further information.

See Also

LDAP Access

HTTP Access

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.