How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I prevent the use of weak SSL cipher suites on the DS (All versions) replication port?

Last updated Nov 3, 2021

The purpose of this article is to provide administrative guidance to improve security on the DS replication channels.


1 reader recommends this article

Overview

You can restrict the list of protocols and cipher suites used by setting the ssl-protocol and ssl-cipher-suite properties for the relevant connector depending on version:

List Protocols and Cipher Suites

To list the available protocols and cipher suites, read the supportedTLSProtocols and supportedTLSCiphers attributes of the root DSE using the following command against an LDAPS connection that has default (unspecified protocol and cipher) SSL properties:

  • DS 7.1 and later: $ ./ldapsearch --hostname ds1.example.com --port 1636 --useSSL --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN "" --searchScope base "(objectclass=*)" supportedTLSCiphers supportedTLSProtocols
  • DS 7: $ ./ldapsearch --hostname ds1.example.com --port 1636 --useSSL --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN "" --searchScope base "(objectclass=*)" supportedTLSCiphers supportedTLSProtocols
  • Pre-DS 7: $ ./ldapsearch --hostname ds1.example.com --port 1636 --useSSL --trustAll --baseDN "" --searchScope base "(objectclass=*)" supportedTLSCiphers supportedTLSProtocols
Note

The available protocols and cipher suites you can use depend on what is supported by your JVM. You should upgrade your JVM and/or install the Oracle® Java® JCE unlimited strength jars to use stronger ciphers. These jars can be downloaded from the following link for Java 8 and earlier: Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files Download. Java 9 and later uses the unlimited policy files by default.

Improving security on DS replication channels (DS 7 and later)

You can restrict the list of protocols and cipher suites used on the replication connector with the ssl-protocol and ssl-cipher-suite properties for Replication Synchronization Provider. For example, to restrict the cipher suites to TLS_EMPTY_RENEGOTIATION_INFO_SCSV and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, and only allow TLSv1.2, you can use the dsconfig set-synchronization-provider-prop command as shown in the following example:

$ ./dsconfig set-synchronization-provider-prop --provider-name "Multimaster Synchronization" --hostname ds1.example.com --port 4444 --bindDN --bindDN uid=admin --bindPassword password --set ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 --set ssl-protocol:TLSv1.2 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt

See Replication Synchronization Provider Properties for further information.

Caution

These are advanced configuration parameters, setting them incorrectly can cause replication to fail. Care should be taken to keep configuration the same across all servers in the replication group.

Improving security on DS replication channels (pre-DS 7)

You can restrict the list of protocols and cipher suites used on the replication connector with the ssl-protocol and ssl-cipher-suite properties for Crypto Manager. For example, to restrict the cipher suites to TLS_EMPTY_RENEGOTIATION_INFO_SCSV and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, and only allow TLSv1.1 and v1.2, you can use the dsconfig set-crypto-manager-prop command as shown in the following example:

$ ./dsconfig set-crypto-manager-prop --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --add ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV --add ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 --add ssl-protocol:TLSv1.1 --add ssl-protocol:TLSv1.2 --trustAll --no-prompt

See Crypto Manager for further information.

Caution

These are advanced configuration parameters; setting them incorrectly can cause replication to fail. Care should be taken to keep configuration the same across all servers in the replication group.

See Also

How do I prevent the use of weak SSL cipher suites on the DS (All versions) administration port?

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.