C.8 Configuring Ciphers for the SGD Gateway

During installation, the Gateway is configured to use a set of ciphers consisting of only high grade ciphers. This means that SSL connections to the Gateway always use enhanced security. If required, you can configure the Gateway to use a different set of ciphers.

C.8.1 How to Configure Ciphers for the Gateway

  1. Stop the Gateway.

    # /opt/SUNWsgdg/bin/gateway stop
  2. Configure the required ciphers.

    In the /opt/SUNWsgdg/etc directory, edit the ciphersuites.xml file.

    Note

    You can configure any of the cipher suites supported by the Java Runtime Environment (JRE) supplied with the Gateway. Enter the Java Secure Socket Extension (JSSE) name for the cipher suite.

    By default, the ciphersuites.xml file contains the following entries for high grade ciphers.

    <ciphersuites>
     <cipher>TLS_RSA_WITH_AES_128_CBC_SHA</cipher>
     <cipher>TLS_RSA_WITH_AES_256_CBC_SHA</cipher>
     <cipher>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</cipher>
     <cipher>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</cipher>
     <cipher>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</cipher>
     <cipher>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</cipher>
    </ciphersuites>
    
  3. Check that the following entry is present in the /opt/SUNWsgdg/etc/gateway.xml file, so that it includes ciphersuites.xml.

    <service id="sgd-ssl-service" class="SSL">
                    ...
      <keystore file="/opt/SUNWsgdg/proxy/etc/keystore.client" 
       password="/opt/SUNWsgdg/etc/password"/>
       <xi:include href="ciphersuites.xml" parse="xml"/>
    </service>
                     ...
    <service id="http-ssl-service" class="SSL">
                     ...
      <keystore file="/opt/SUNWsgdg/proxy/etc/keystore.client" 
       password="/opt/SUNWsgdg/etc/password"/>
      <xi:include href="ciphersuites.xml" parse="xml"/>
    </service>
    
  4. Restart the Gateway.

    # /opt/SUNWsgdg/bin/gateway start