Configuring TLS 1.2 for Identity Management in RHEL 6.9
This document describes how to configure an Identity Management (IdM) server to require the TLS protocol version 1.2 in Red Hat Enterprise Linux 6.9.
TLS 1.2 is considered more secure than previous versions of TLS. If your IdM server is deployed in an environment with high security requirements, you can configure it to forbid communication using protocols that are less secure than TLS 1.2.
IMPORTANT: Repeat these steps on every IdM server where you want to use TLS 1.2.
Configure the httpd Daemon
1.Open the /etc/httpd/conf.d/nss.conf file, and set the following values for the NSSProtocol and NSSCipherSuite entries:
NSSProtocol TLSv1.2
NSSCipherSuite +ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
Alternatively, run the following commands to set the values for you:
# sed -i 's/^NSSProtocol .*/NSSProtocol TLSv1.2/' /etc/httpd/conf.d/nss.conf
# sed -i 's/^NSSCipherSuite .*/NSSCipherSuite +ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_256_sha/' /etc/httpd/conf.d/nss.conf
2.Restart the httpd daemon:
# /sbin/service httpd restart
Configure the Directory Server (DS) Component
To configure DS manually:
1.Stop DS:
# /sbin/service dirsrv stop
2.Open the /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif file, and modify the cn=encryption,cn=config entry to set the following:
nsTLS10: off
nsTLS11: off
nsTLS12: on
nsSSL2: off
nsSSL3: off
nsSSL3Ciphers: -all
3.Make sure nsTLS1 is not present in cn=encryption,cn=config.
4.Start DS:
# /sbin/service dirsrv start
Alternatively, to configure DS automatically using the ldapmodify utility:
1.Use ldapmodify to make the configuration changes for you:
ldapmodify -h localhost -p 389 -D 'cn=directory manager' -W << EOF
dn: cn=encryption,cn=config
changeType: modify
delete: nsTLS1
-
add: nsTLS10
nsTLS10: off
-
add: nsTLS11
nsTLS11: off
-
add: nsTLS12
nsTLS12: on
-
replace: nsSSL2
nsSSL2: off
-
replace: nsSSL3
nsSSL3: off
-
replace: nsSSL3Ciphers
nsSSL3Ciphers: -all
EOF
2.Restart DS to load the new configuration:
# /sbin/service dirsrv restart
Configure the IdM Certificate Authority (CA)
NOTE: This part is applicable only if the IdM server was configured with an integrated Certificate Authority (CA).
1.Stop DS:
# /sbin/service dirsrv stop
2.Open the /etc/dirsrv/slapd-PKI-IPA/dse.ldif file, and repeat the configuration changes you made for DS.
3.Start DS:
# /sbin/service dirsrv start
Alternatively, to configure the CA automatically using the ldapmodify utility:
1.Use ldapmodify to make the configuration changes for you:
ldapmodify -h localhost -p 7389 -D 'cn=directory manager' -W << EOF
dn: cn=encryption,cn=config
changeType: modify
delete: nsTLS1
-
add: nsTLS10
nsTLS10: off
-
add: nsTLS11
nsTLS11: off
-
add: nsTLS12
nsTLS12: on
-
replace: nsSSL2
nsSSL2: off
-
replace: nsSSL3
nsSSL3: off
-
replace: nsSSL3Ciphers
nsSSL3Ciphers: -all
EOF
2.Restart DS to load the new configuration:
# /sbin/service dirsrv restart
Configure the Certificate Server (CS) Component
1.Open the /etc/pki-ca/server.xml file, and set all occurrences of the sslVersionRangeStream and sslVersionRangeDatagram parameters to the following values:
sslVersionRangeStream="tls1_2:tls1_2"
sslVersionRangeDatagram="tls1_2:tls1_2"
Alternatively, run the following command to replace the values for you:
# sed -i 's/tls1_[01]:tls1_2/tls1_2:tls1_2/g' /etc/pki-ca/server.xml
2.Restart CS:
# /sbin/service pki-cad restart
Result
The IdM server is configured to require TLS 1.2. IdM clients that only support previous TLS versions are no longer able to communicate with the IdM server.
Comments