IMPORTANT:The settings specified in this section indicate an SSL configuration that provides an optimal level of security. If you plan on making any changes in the cipher information, ensure you test the configuration before you deploy it in your production setup.
In addition to setting up the Secure Socket Layer (SSL), using a cipher suite provides additional security to client-server communications from Identity Server, Access Gateway to the Web browsers.
Specifying SSL Configuration for Identity Server:
All client communication with the Identity Server currently uses 128-bit encryption. If the browser is unable to support 128 bit encryption, the user is not allowed to authenticate. The encryption level supported can be modified by adding or removing the ciphers listed in the server.xml.
Using command prompt, change to the Tomcat configuration directory:
Linux: /opt/novell/nam/idp/conf
Windows Server 2008: \Program Files (x86)\Novell\Tomcat\conf
To edit the server.xml entries, search for the cipher attribute in the <Connector> element and then modify the list of ciphers based on your needs. For example, a sample configuration to enable 128-bit encryption will be as follows:
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA"
This is a comma-separated list of the JSSE names for the TLS cipher suites.
IMPORTANT:If you enter a cipher name incorrectly, Tomcat reverts to the default values, which allow the weak ciphers to be used.
For a complete list of supported cipher suites and their requirements, see The SunJSSE Provider.
To activate the cipher list, restart Tomcat.
Linux: Enter one of the following commands:
/etc/init.d/novell-idp restart
rcnovell-idp restart
Windows: Enter the following commands:
net stop Tomcat7
net start Tomcat7
(Conditional) If you have multiple Identity Servers in your cluster configuration, repeat these steps on each Identity Server.
Specifying SSL Configuration for Access Gateway:
To restrict Access Gateway to serve only for TLS 1.1 and TLS 1.2 requests, click Devices > Access Gateways > Edit > Advanced Options and add the following configuration:
SSLProtocol TLSv1.1 +TLSv1.2
The following is the default cipher setting in Access Gateway:
SSLCipherSuite TLSv1:!ADH:!NULL:+HIGH:-EXPORT40:-EXPORT56:-MEDIUM:-LOW
You can change the default cipher setting by specifying the following configuration in Advanced Options:
SSLHonorCipherOrder On SSLCipherSuite <cipher-directive>
For more information about SSLCipherSuite Directive, see SSLCipherSuite Directive documentation.
For more information about SSLProtocol directives, see Apache Module mod_ssl documentation.