To meet the requirements specified by Suite B, you must specify the appropriate settings in the Identity Manager components. This section provides information about those settings.
To configure the Identity Manager engine in Suite B mode, you must set the Suite B configuration option enforceSuiteB = true in the driver configuration by using Designer or iManager.
With the use of stronger ciphers in Suite B mode, passwords managed by the engine such as named password, application password, and Remote Loader password will be re-encrypted when they are used for the first time after upgrading the engine to 4.6 version. On an upgraded engine, the existing encrypted attribute values in the driver cache file are not re-encrypted with stronger ciphers because they are removed from the TAO file when the event is processed. However, when new encrypted attributes are stored in the cache, they are encrypted with AES 256-bit keys.
To make the engine and Remote Loader communication compliant with Suite B mode, set the Suite B configuration option enforceSuiteB = true in the driver configuration. The Suite B communication can also be configured in the Remote Loader configuration file for a driver by setting enforceSuiteB to true. For more information, see Configuring the Remote Loader and Drivers.
Suite B mode is disabled by default. When you enable it, Identity Manager automatically uses TLS 1.2 or later for communication. If you try to connect a Suite B-enabled engine with a Remote Loader that does not support TLSv1.2, the handshake fails and the communication is not established. For example, Remote Loader 4.5.3, which does not support TLS v1.2.
For enabling the Suite B communication, manually include netiq.fanoutagent.connection.enforceSuiteB=true parameter in the Fan-Out Agent configuration file. You also need to specify enforceSuiteB = true in the driver configuration. Suite B configuration is supported with driver version 1.0.1.1. For more information, see the NetIQ Identity Manager Driver for JDBC Fanout Implementation Guide.
Along with the configuration changes discussed in the earlier sections, additional changes have been made to these drivers to enable them for Suite B.
The eDir-to-eDir Driver Certificates Wizard in iManager and Designer allows the use of stronger ciphers for encrypting the data as specified by Suite B. You import the Suite B compliant certificates into the certificate store that the driver uses. For more information, see Securing Driver Communication in the NetIQ Driver for eDirectory Implementation Guide.
The driver stores the password in the Windows registry. For Suite B compliance, the driver uses AES 256-bit encryption algorithm to encrypt the new passwords.
Passwords that are already in the registry are not re-encrypted with stronger ciphers because they are cleaned up when the event is processed. However, when new passwords are stored in the registry, they are encrypted with AES 256-bit keys.