Chapter 35. Configuring TLS for Identity Management

This document describes how to configure an Identity Management server to require the TLS protocol version 1.2 in Red Hat Enterprise Linux 7.3 and later.
TLS 1.2 is considered more secure than previous versions of TLS. If your IdM server is deployed in an environment with high security requirements, you can configure it to forbid communication using protocols that are less secure than TLS 1.2.


Repeat these steps on every IdM server where you want to use TLS 1.2.

35.1. Configuring the httpd Daemon

  1. Open the /etc/httpd/conf.d/nss.conf file, and set the following values for the NSSProtocol and NSSCipherSuite entries:
    NSSProtocol TLSv1.2
    NSSCipherSuite +ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
    Alternatively, use the following commands to set the values for you:
    # sed -i 's/^NSSProtocol .*/NSSProtocol TLSv1.2/' /etc/httpd/conf.d/nss.conf
    # sed -i 's/^NSSCipherSuite .*/NSSCipherSuite +ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_256_sha/' /etc/httpd/conf.d/nss.conf
  2. Restart the httpd daemon:
    # systemctl restart httpd