Sun Directory Server Enterprise Edition 7.0 Administration Guide

ProcedureTo Choose an Encryption Cipher

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Make sure that SSL is enabled for your server.

    See Configuring SSL Communication.

  2. View the available SSL ciphers.

    $ dsconf get-server-prop -h host -p port ssl-supported-ciphers
    ssl-supported-ciphers  :  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    ssl-supported-ciphers  :  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    ssl-supported-ciphers  :  TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    ssl-supported-ciphers  :  TLS_DHE_DSS_WITH_AES_256_CBC_SHA 
  3. (Optional) If you want to keep a copy of non-encrypted data, export the data before setting the SSL ciphers.

    See Exporting to LDIF.

  4. Set the SSL ciphers.

    $ dsconf set-server-prop -h host -p port ssl-cipher-family:cipher

    For example, to set the cipher family to SSL_RSA_WITH_RC4_128_MD5 and SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, type:

    $ dsconf set-server-prop -h host1 -P 1636 ssl-cipher-family:SSL_RSA_WITH_RC4_128_MD5 \
    Enter "cn=Directory Manager" password:  
    Before setting SSL configuration, export Directory Server data. 
    Do you want to continue [y/n] ? y
    Directory Server must be restarted for changes to take effect.
  5. (Optional) Add an SSL cipher to an existing list.

    If you already have a list of ciphers specified, and you want to add a cipher, use this command:

    $ dsconf set-server-prop -h host -p port ssl-cipher-family+:cipher

    For example, to add the SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA cipher, type:

    $ dsconf set-server-prop -h host1 -P 1636 \
  6. Restart the server for the changes to take effect.

    $ dsadm restart /local/dsInst