Sun Java System Web Server 6.1 SP9 Administrator's Guide

Setting Stronger Ciphers

The Stronger Ciphers option presents a choice of 168, 128, or 56-bit secret key size for access. You can specify a file to be served when the restriction is not met. If no file is specified, the Sun Java System Web Server displays a “Forbidden” status.

If you select a key size for access that is not consistent with the current cipher settings under Security Preferences, Sun Java System Web Server displays a popup dialog warning that you need to enable ciphers with larger secret key sizes.

The implementation of the key size restriction is now based on an NSAPI PathCheck directive in obj.conf, rather than Service fn=key-toosmall. This directive is:

PathCheck fn="ssl-check" [secret-keysize=<nbits>] [bong-file=<filename>]

where <nbits> is the minimum number of bits required in the secret key, and <filename> is the name of a file (not a URI) to be served if the restriction is not met.

PathCheck returns REQ_NOACTION if SSL is not enabled, or if the secret-keysize parameter is not specified. If the secret key size for the current session is less than the specified secret-keysize, the function returns REQ_ABORTED with a status of PROTOCOL_FORBIDDEN if bong-file is not specified, or else REQ_PROCEED, and the “path” variable is set to the bong-file <filename>. Also, when a key size restriction is not met, the SSL session cache entry for the current session is invalidated, so that a full SSL handshake will occur the next time the same client connects to the server.

Note –

The Stronger Ciphers form removes any Service fn=key-toosmall directives that it finds in an object when it adds a PathCheck fn=ssl-check.

To Set Stronger Ciphers, perform the following steps:

ProcedureTo set stronger ciphers

  1. Access the Server Manager and select the server instance from the drop-down list.

  2. Click the Virtual Server Class tab.

  3. Select a class from the drop-down list and click Manage.

    The Class Manager page appears.

  4. Choose the Content Mgmt tab.

  5. Select Stronger Ciphers.

  6. Choose to edit:

    • from the drop down list

      • by clicking Browse

      • by clicking Wildcard

  7. Select the secret key size restriction:

    • 168 bit or larger

      • 128 bit or larger

      • 56 bit or larger

      • No restrictions

  8. Enter the file location of the message to reject access.

  9. Click OK.

  10. Click Apply.

  11. Select hard start /restart or dynamically apply

    For more information, see Introduction to SSL.