SSL renegotiation is the process of establishing a new SSL handshake over an existing SSL connection. SSL renegotiation can be initiated either by the SSL client or the SSL server. Initiating an SSL renegotiation on the client or the server requires different set of APIs. The renegotiation messages (ciphers and encryption keys) are encrypted and then sent over the existing SSL connection to establish another session securely and is useful in the following scenarios:
When you require a client authentication.
When you require a different set of encryption and decryption keys.
When you require a different set of encryption and hashing algorithms.
SSL renegotiation is enabled or disabled by the following parameter: "sun.security.ssl.allowUnsafeRenegotiation.
This is defined in a registry on Windows and a configuration file on SLES.
Registry key on Windows is [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\Tomcat7\Parameters\Java\Options]. (How to set the registry key)
Value data for the registry key to enable the SSL renegotiation on Windows is:
-Dsun.security.ssl.allowUnsafeRenegotiation=true (procedural format to enable the SSL renegotiation)
To disable the SSL renegotiation on Windows, remove the following entry:
"-Dsun.security.ssl.allowUnsafeRenegotiation=true"
Configuration file on SLES contains the following parameter:
/opt/novell/nam/idp/conf /tomcat7.conf
Value data for the registry key to enable the SSL renegotiation on SLES 11 SP2 and SP3 is:
"JAVA_OPTS="${JAVA_OPTS} -Dsun.security.ssl.allowUnsafeRenegotiation=true"
To disable the SSL renegotiation on SLES, remove the following entry:
"JAVA_OPTS="${JAVA_OPTS} -Dsun.security.ssl.allowUnsafeRenegotiation=true"
You can verify whether the Identity Server, Access Gateway and Administration Console support secure renegotiation by using the following command:
openssl s_client -connect <IP address of the Access Manager component:port>
Port can either be 8443 or 443 based on the Access Gateway configuration.