To configure Identity Manager in Suite B mode, your environment must meet the following conditions:
eDirectory 9.0.2 or later is installed as an Identity Vault
TLS 1.2 is enforced as a communication protocol
Suite B connection parameter is specified in the driver, Remote Loader, or Fan-Out configuration to enforce the Suite B specification for a secured communication
NOTE:In Suite B mode, the SSL connection is restricted to accept only Suite B supported certificates. If a certificate is expired or invalid, the handshake fails and the communication is not established. For generating Suite B certificates, see “Creating a Server Certificate Object” in the NetIQ eDirectory Administration Guide.
The following table lists the requirements as specified by Suite B:
Requirement |
Description |
---|---|
Protocol |
TLS 1.2 is supported in Suite B mode. |
Public keys |
The public key for certificates must be a minimum size of EC 256 bits. |
Signature algorithm |
The signature algorithm for certificates must be a minimum size of ECDSA 256 bits (curve P256) and SHA256. |
Hash algorithm |
The hash algorithm must have the minimum size of SHA256. |
Cipher specification |
The following ciphers are supported for Suite B mode:
To use ciphers with stronger signature and hash algorithms, the certificates of server key file must contain similar or stronger signature and hash algorithms. Suite B supports two levels of cryptographic security: 128 bit and 192 bit. The level defines a minimum strength that all cryptographic algorithms must provide. In Suite B 192-bit processing mode, the supported cipher suite is TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384. |