Configuring TLS 1.2 for Identity Management in RHEL 6.9

Updated -

This document describes how to configure an Identity Management (IdM) server to require the TLS protocol version 1.2 in Red Hat Enterprise Linux 6.9.

TLS 1.2 is considered more secure than previous versions of TLS. If your IdM server is deployed in an environment with high security requirements, you can configure it to forbid communication using protocols that are less secure than TLS 1.2.

IMPORTANT: Repeat these steps on every IdM server where you want to use TLS 1.2.

Configure the httpd Daemon

1.Open the /etc/httpd/conf.d/nss.conf file, and set the following values for the NSSProtocol and NSSCipherSuite entries:

NSSProtocol TLSv1.2
NSSCipherSuite +ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_256_sha

Alternatively, run the following commands to set the values for you:

# sed -i 's/^NSSProtocol .*/NSSProtocol TLSv1.2/' /etc/httpd/conf.d/nss.conf
# sed -i 's/^NSSCipherSuite .*/NSSCipherSuite +ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_256_sha/' /etc/httpd/conf.d/nss.conf

2.Restart the httpd daemon:

# /sbin/service httpd restart

Configure the Directory Server (DS) Component

To configure DS manually:

1.Stop DS:

# /sbin/service dirsrv stop

2.Open the /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif file, and modify the cn=encryption,cn=config entry to set the following:

sTLS10: off
sTLS11: off
sTLS12: on
sSSL2: off
sSSL3: off
sSSL3Ciphers: -all

3.Make sure nsTLS1 is not present in cn=encryption,cn=config.

4.Start DS:

# /sbin/service dirsrv start

Alternatively, to configure DS automatically using the ldapmodify utility:

1.Use ldapmodify to make the configuration changes for you:

ldapmodify -h localhost -p 389 -D 'cn=directory manager' -W << EOF
dn: cn=encryption,cn=config
changeType: modify
delete: nsTLS1
-
add: nsTLS10
nsTLS10: off
-
add: nsTLS11
nsTLS11: off
-
add: nsTLS12
nsTLS12: on
-
replace: nsSSL2
nsSSL2: off
-
replace: nsSSL3
nsSSL3: off
-
replace: nsSSL3Ciphers
nsSSL3Ciphers: -all
EOF

2.Restart DS to load the new configuration:

# /sbin/service dirsrv restart

Configure the IdM Certificate Authority (CA)

NOTE: This part is applicable only if the IdM server was configured with an integrated Certificate Authority (CA).

1.Stop DS:

# /sbin/service dirsrv stop

2.Open the /etc/dirsrv/slapd-PKI-IPA/dse.ldif file, and repeat the configuration changes you made for DS.

3.Start DS:

# /sbin/service dirsrv start

Alternatively, to configure the CA automatically using the ldapmodify utility:

1.Use ldapmodify to make the configuration changes for you:

ldapmodify -h localhost -p 7389 -D 'cn=directory manager' -W << EOF
dn: cn=encryption,cn=config
changeType: modify
delete: nsTLS1
-
add: nsTLS10
nsTLS10: off
-
add: nsTLS11
nsTLS11: off
-
add: nsTLS12
nsTLS12: on
-
replace: nsSSL2
nsSSL2: off
-
replace: nsSSL3
nsSSL3: off
-
replace: nsSSL3Ciphers
nsSSL3Ciphers: -all
EOF

2.Restart DS to load the new configuration:

# /sbin/service dirsrv restart

Configure the Certificate Server (CS) Component

1.Open the /etc/pki-ca/server.xml file, and set all occurrences of the sslVersionRangeStream and sslVersionRangeDatagram parameters to the following values:

sslVersionRangeStream="tls1_2:tls1_2"
sslVersionRangeDatagram="tls1_2:tls1_2"

Alternatively, run the following command to replace the values for you:

# sed -i 's/tls1_[01]:tls1_2/tls1_2:tls1_2/g' /etc/pki-ca/server.xml

2.Restart CS:

# /sbin/service pki-cad restart

Result

The IdM server is configured to require TLS 1.2. IdM clients that only support previous TLS versions are no longer able to communicate with the IdM server.

Was this helpful?

We appreciate your feedback. Leave a comment if you would like to provide more detail.
It looks like we have some work to do. Leave a comment to let us know how we could improve.
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.