18.1 Prerequisites

To configure Identity Manager in Suite B mode, your environment must meet the following conditions:

  • eDirectory 9.0.2 or later is installed as an Identity Vault

  • TLS 1.2 is enforced as a communication protocol

  • Suite B connection parameter is specified in the driver, Remote Loader, or Fan-Out configuration to enforce the Suite B specification for a secured communication

    NOTE:In Suite B mode, the SSL connection is restricted to accept only Suite B supported certificates. If a certificate is expired or invalid, the handshake fails and the communication is not established. For generating Suite B certificates, see “Creating a Server Certificate Object” in the NetIQ eDirectory Administration Guide.

The following table lists the requirements as specified by Suite B:

Requirement

Description

Protocol

TLS 1.2 is supported in Suite B mode.

Public keys

The public key for certificates must be a minimum size of EC 256 bits.

Signature algorithm

The signature algorithm for certificates must be a minimum size of ECDSA 256 bits (curve P256) and SHA256.

Hash algorithm

The hash algorithm must have the minimum size of SHA256.

Cipher specification

The following ciphers are supported for Suite B mode:

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

To use ciphers with stronger signature and hash algorithms, the certificates of server key file must contain similar or stronger signature and hash algorithms.

Suite B supports two levels of cryptographic security: 128 bit and 192 bit. The level defines a minimum strength that all cryptographic algorithms must provide.

In Suite B 192-bit processing mode, the supported cipher suite is TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.