-
Notifications
You must be signed in to change notification settings - Fork 139
Configuring TLS Cipher List
Endi S. Dewata edited this page Feb 14, 2022
·
4 revisions
This page describes the process to configure TLS cipher list during installation (see Two-Step Installation) or after installation.
To configure the TLS server cipher list, edit the cipher list in /var/lib/pki/pki-tomcat/conf/server.xml
as needed (see Configuring Tomcat JSS):
<Server> ... <Connector ... tlsCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+T LS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_ SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_ED E_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE _CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_W ITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_ DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_D HE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA" ... /> ... </Server>
Note: This procedure is only for CS subsystem to CS subsystem communication when acting as a client, it is not for CA subsystem to the LDAP server.
To configure TLS client cipher list for CA when communicating with KRA, edit /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
and update the clientCiphers
parameter, e.g.:
ca.connector.KRA.clientCiphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
To configure TLS client cipher list for TPS when communicating with CA, KRA, and TKS, edit /var/lib/pki/pki-tomcat/tps/conf/CS.cfg
and update the parameters below:
tps.connector.ca id.clientCiphers=... tps.connector.kra id.clientCiphers=... tps.connector.tks id.clientCiphers=...
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |