Sun Directory Server Enterprise Edition 7.0 Administration Guide

Choosing Encryption Ciphers

A cipher is the algorithm used to encrypt and decrypt data. Generally speaking, the more bits that a cipher uses during encryption, the stronger or more secure the encryption is. Ciphers for SSL are also identified by the type of message authentication used. Message authentication is another algorithm that computes a checksum that guarantees data integrity.

When a client initiates an SSL connection with a server, the client and server must agree on a cipher to use to encrypt information. In any two-way encryption process, both parties must use the same cipher. The cipher used depends upon the current order of the cipher list kept by the server. The server chooses the first cipher presented by the client that matches a cipher in its list. The default cipher value for Directory Server is all, which means all known secure ciphers supported by the underlying SSL library. However, you can modify this value to only accept certain ciphers.

For more information about the ciphers that are available with Directory Server, see Sun Directory Server Enterprise Edition 7.0 Reference.

ProcedureTo Choose an Encryption Cipher

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Make sure that SSL is enabled for your server.

    See Configuring SSL Communication.

  2. View the available SSL ciphers.

    $ dsconf get-server-prop -h host -p port ssl-supported-ciphers
    ssl-supported-ciphers  :  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    ssl-supported-ciphers  :  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    ssl-supported-ciphers  :  TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    ssl-supported-ciphers  :  TLS_DHE_DSS_WITH_AES_256_CBC_SHA 
  3. (Optional) If you want to keep a copy of non-encrypted data, export the data before setting the SSL ciphers.

    See Exporting to LDIF.

  4. Set the SSL ciphers.

    $ dsconf set-server-prop -h host -p port ssl-cipher-family:cipher

    For example, to set the cipher family to SSL_RSA_WITH_RC4_128_MD5 and SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, type:

    $ dsconf set-server-prop -h host1 -P 1636 ssl-cipher-family:SSL_RSA_WITH_RC4_128_MD5 \
    Enter "cn=Directory Manager" password:  
    Before setting SSL configuration, export Directory Server data. 
    Do you want to continue [y/n] ? y
    Directory Server must be restarted for changes to take effect.
  5. (Optional) Add an SSL cipher to an existing list.

    If you already have a list of ciphers specified, and you want to add a cipher, use this command:

    $ dsconf set-server-prop -h host -p port ssl-cipher-family+:cipher

    For example, to add the SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA cipher, type:

    $ dsconf set-server-prop -h host1 -P 1636 \
  6. Restart the server for the changes to take effect.

    $ dsadm restart /local/dsInst