All client communication with Identity Server currently uses 128-bit encryption. If the browser is unable to support 128 bit encryption, the user is not allowed to authenticate. The encryption level supported can be modified by adding or removing the ciphers listed in the server.xml.
Using command prompt, change to the Tomcat configuration directory:
Linux: /opt/novell/nam/idp/conf
Windows Server 2008: \Program Files (x86)\Novell\Tomcat\conf
Open the server.xml file.
Search for the cipher attribute in the <Connector> element and then modify the list to include the following ciphers:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
This is a comma-separated list of the JSSE names for the TLS cipher suites.
For example, see Section 3.19.1, server.xml.
IMPORTANT:If you enter a cipher name incorrectly, Tomcat reverts to the default values, which allow the weak ciphers to be used.
For a complete list of supported cipher suites and their requirements, see The SunJSSE Provider.
Restart Tomcat.
(Conditional) If you have multiple Identity Servers in your cluster configuration, repeat these steps on each Identity Server.
Add attribute useServerCipherSuitesOrder and set its value to true:
useServerCipherSuitesOrder="true"
For more information, see the overview of Strengthening TLS/SSL Settings.