How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I disable TLS 1.0 and TLS 1.1 in DS (All versions)?

Last updated Sep 21, 2021

The purpose of this article is to provide information on disabling TLS 1.0 and TLS 1.1 in DS. These protocols have been deprecated by the Internet Engineering Task Force (IETF) and are considered insecure.


Overview

The TLS 1.0 and 1.1 protocols have been deprecated by IETF and are considered insecure due to known vulnerabilities and lack of support for the latest cipher suites.

See Deprecating TLSv1.0 and TLSv1.1 for further information.

Disabling TLS 1.0 and 1.1 in DS

You can disable TLS 1.0 and 1.1 in DS by explicitly setting the ssl-protocols allowed per connection handler. It is strongly recommended that you restrict the allowed protocols to TLSv1.2 on the following connection handlers: LDAP, LDAPS, HTTPS and the Administrator Connector. 

Note

If you are using at least DS 6.5.3 and Java 11.0.6, you may also want to include TLSv1.3 as an allowed protocol. See How do I disable TLS 1.3 when running DS 6.5, 6.5.1 or 6.5.2 with Java 11.0.5 and earlier, or Java 1.8.0_272 and later? for further information about known issues. 

In the following examples, you can allow TLSv1.3 in addition to TLSv1.2 by replacing --set ssl-protocol:TLSv1.2 with --set ssl-protocol:TLSv1.2 --set ssl-protocol:TLSv1.3.

LDAP connection handler

You can restrict the allowed protocols to TLSv1.2 on the LDAP connection handler using the dsconfig command, for example:

  • DS 7.1 and later: $ ./dsconfig set-connection-handler-prop --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --handler-name LDAP --set ssl-protocol:TLSv1.2 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
  • DS 7: $ ./dsconfig set-connection-handler-prop --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --handler-name LDAP --set ssl-protocol:TLSv1.2 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
  • DS 6.x: $ ./dsconfig set-connection-handler-prop --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name LDAP --set ssl-protocol:TLSv1.2 --trustAll --no-prompt

LDAPS connection handler

You can restrict the allowed protocols to TLSv1.2 on the LDAPS connection handler using the dsconfig command, for example:

  • DS 7.1 and later: $ ./dsconfig set-connection-handler-prop --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --handler-name LDAPS --set ssl-protocol:TLSv1.2 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
  • DS 7: $ ./dsconfig set-connection-handler-prop --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --handler-name LDAPS --set ssl-protocol:TLSv1.2 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
  • DS 6.x: $ ./dsconfig set-connection-handler-prop --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name LDAPS --set ssl-protocol:TLSv1.2 --trustAll --no-prompt

HTTPS connection handler

You can restrict the allowed protocols to TLSv1.2 on the HTTPS connection handler using the dsconfig command, for example:

  • DS 7.1 and later: $ ./dsconfig set-connection-handler-prop --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --handler-name HTTPS --set ssl-protocol:TLSv1.2 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
  • DS 7: $ ./dsconfig set-connection-handler-prop --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --handler-name HTTPS --set ssl-protocol:TLSv1.2 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
  • DS 6.x: $ ./dsconfig set-connection-handler-prop --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name HTTPS --set ssl-protocol:TLSv1.2 --trustAll --no-prompt

Administrator Connector 

You can restrict the allowed protocols to TLSv1.2 on the administrator connector using the dsconfig command, for example:

  • DS 7.1 and later: $ ./dsconfig set-administration-connector-prop --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --set ssl-protocol:TLSv1.2 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
  • DS 7: $ ./dsconfig set-administration-connector-prop --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --set ssl-protocol:TLSv1.2 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
  • DS 6.x: $ ./dsconfig set-administration-connector-prop --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --set ssl-protocol:TLSv1.2 --trustAll --no-prompt

See Also

How do I prevent the use of weak SSL cipher suites in DS (All versions)?

SSL in DS

Require LDAPS

TLS Settings

RFC 7525: SSL/TLS Protocol Versions

Deprecating TLSv1.0 and TLSv1.1

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.