To Choose an Encryption Cipher
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
-
Make sure that SSL is enabled for your server.
-
View the available SSL ciphers.
$ dsconf get-server-prop -h host -p port ssl-supported-ciphers ssl-supported-ciphers : TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ssl-supported-ciphers : TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ssl-supported-ciphers : TLS_DHE_RSA_WITH_AES_256_CBC_SHA ssl-supported-ciphers : TLS_DHE_DSS_WITH_AES_256_CBC_SHA ...
-
(Optional) If you want to keep a copy of non-encrypted data, export the data before setting the SSL ciphers.
See Exporting to LDIF.
-
Set the SSL ciphers.
$ dsconf set-server-prop -h host -p port ssl-cipher-family:cipher
For example, to set the cipher family to SSL_RSA_WITH_RC4_128_MD5 and SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, type:
$ dsconf set-server-prop -h host1 -p 1636 ssl-cipher-family:SSL_RSA_WITH_RC4_128_MD5 \ ssl-cipher-family:SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA Enter "cn=Directory Manager" password: Before setting SSL configuration, export Directory Server data. Do you want to continue [y/n] ? y Directory Server must be restarted for changes to take effect.
-
Restart the server for the changes to take effect.
$ dsadm restart /local/ds
- © 2010, Oracle Corporation and/or its affiliates