TLS 1.0/1.1 ciphers disabled by default for secure LDAP connections

Several insecure TLS 1.0/1/1 ciphers are now disabled by default in HCL Compass . You will not be able to log in to HCL Compass via LDAP authentication if one of the disabled ciphers are used.

About this task

Previously, HCL Compass had the following ciphers enabled by default, for TLS 1.0/TLS 1.1 SSLV3.

cipher: Hex value:
SLAPD_SSL_RC4_MD5_EX "03"
SLAPD_SSL_RC2_MD5_EX "06"
SLAPD_SSL_RC4_SHA_US "05"
SLAPD_SSL_RC4_MD5_US "04"
SLAPD_SSL_DES_SHA_US "09"
SLAPD_SSL_3DES_SHA_US "0A"
SLAPD_SSL_AES_128_SHA_US "2F"
SLAPD_SSL_AES_256_SHA_US "35"

HCL Compass now has the following TLS 1.1/TLS 1.0 ciphers that are enabled by default:

SLAPD_SSL_AES_128_SHA_US "2F"
SLAPD_SSL_AES_256_SHA_US "35"

To enable other TLS 1.0 and TLS 1.1 ciphers, the '-S' and '-c' parameters can be used in the LDAP initialization string that it is defined by the installutil setldapinit command. For more information, see the installutil setldapinit topic.

-S refers to LDAP_OPT_SSL_SECURITY_PROTOCOL, and can be set with values of SSLV3, TLS10, TLS11 and TLS12, or multiple values of them connected by comma. See the above note about SSLV3 usage.

-c refers to LDAP_OPT_SSL_CIPHER, or the ciphers available for TLS 1.0, TLS 1.1, and SSLV3. It has a long list of supporting values that are described above, and can be set to multiple concatenated values. Refer to your LDAP server administrator for the values of this option.

Note: -C refers to LDAP_OPT_SSL_CIPHER_EX, or the ciphers available for TLS 1.2.

Example

installutil setldapinit 8.0.0 admin "" "-h ldapserver -Z -K 'win:c:\key.kdb;unix:/tmp/key.kdb' -S TLS10,TLS11 -c 05042F35"