Scribd Logo
Upload

Welcome to Scribd!

  • 55 views

    Enabling or Disabling Ciphers in Directory Server

    Uploaded by

    Ricardo Queiros
    This document provides steps to enable or disable TLS ciphers in a directory server. The steps include obtaining passwords, setting services to maintenance mode, checking existing cipher configurations, creating a file with cipher modifications, applying the changes on primary and secondary servers, restarting services, and removing the maintenance mode. The goal is to harden security by disabling weak ciphers.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Enabling or Disabling Ciphers in Directory Server

    Uploaded by

    Ricardo Queiros
    55 views5 pages
    This document provides steps to enable or disable TLS ciphers in a directory server. The steps include obtaining passwords, setting services to maintenance mode, checking existing cipher configurations, creating a file with cipher modifications, applying the changes on primary and secondary servers, restarting services, and removing the maintenance mode. The goal is to harden security by disabling weak ciphers.

    Original Title

    Enabling or disabling ciphers in directory server

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides steps to enable or disable TLS ciphers in a directory server. The steps include obtaining passwords, setting services to maintenance mode, checking existing cipher configurations, creating a file with cipher modifications, applying the changes on primary and secondary servers, restarting services, and removing the maintenance mode. The goal is to harden security by disabling weak ciphers.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    55 views5 pages

    Enabling or Disabling Ciphers in Directory Server

    Uploaded by

    Ricardo Queiros
    This document provides steps to enable or disable TLS ciphers in a directory server. The steps include obtaining passwords, setting services to maintenance mode, checking existing cipher configurations, creating a file with cipher modifications, applying the changes on primary and secondary servers, restarting services, and removing the maintenance mode. The goal is to harden security by disabling weak ciphers.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 5

    11/7/23, 4:26 PM Enabling or disabling ciphers in directory server

    Security Management > Security Management Operating Procedures > Administering NetAct System Security > Hardening for NetAct
    applications and services > Managing TLS version protocol and TLS cipher configuration > Managing TLS cipher configuration > Managing TLS
    ciphers in directory server

    Enabling or disabling ciphers in directory server


    1. Log in as omc user to the VM where dmgr service is running and switch to root user.

    To locate the right VM, see Locating the right virtual machine for a service.

    2. Obtain the password of the cn=Manager account by entering:

    [root]# /opt/nokia/oss/bin/syscredacc.sh -user cn=Manager -type DS

    Sample output

    [case-sensitive password]

    3. Log in to the VM hosting the dirsrv service as omc user and switch to root user.

    4. Set dirsrv and dirsrv-secondary services to maintenance mode:

    a. Set dirsrv service to maintenance mode by entering:

    [root]# smanager.pl maintenance dirsrv on

    Expected outcome

    Service dirsrv maintenance mode is set to on

    b. Set dirsrv-secondary service to maintenance mode by entering:

    [root]# smanager.pl maintenance dirsrv-secondary on

    Expected outcome

    Service dirsrv-secondary maintenance mode is set to on

    5. Obtain the existing cipher configurations by entering:

    [root]# ldapsearch -h localhost -W -D "cn=manager" -b "cn=encryption,cn=config" nsSSL3Ciphers|


    perl -p00e 's/\r?\n //g'|grep nsSSL3Ciphers|grep -v "#"

    When prompted for Enter LDAP password , enter the password of cn=Manager user.

    Sample output

    cudovm01.netact.nsn-rdnet.net/N22_FP2305/index.jsp?topic=%2Fadministering_netact_system_security_base%2Fconcepts%2Fhardening_dirsrv.html 1/5
    11/7/23, 4:26 PM Enabling or disabling ciphers in directory server

    nsSSL3Ciphers: +all,-
    TLS_RSA_WITH_RC4_128_MD5,+TLS_RSA_WITH_RC4_128_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,-
    TLS_RSA_WITH_DES_CBC_SHA,-TLS_RSA_WITH_NULL_MD5,-TLS_RSA_WITH_NULL_SHA,-
    TLS_DHE_DSS_WITH_DES_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-
    TLS_DHE_RSA_WITH_DES_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+T
    LS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,
    +TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_RC4_128_SH
    A

    6. To enable weak ciphers, use + before each cipher name. To disable weak ciphers, use - before each cipher name. For the
    list of supported DirSrv ciphers, see Supported dirsrv ciphers.

    7. Create a <filename>.txt file under /var/tmp directory and add the following entries:

    For example:

    [root]# cat /var/tmp/cipher_input.txt


    +all,-TLS_RSA_WITH_RC4_128_MD5,+TLS_RSA_WITH_RC4_128_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,-
    TLS_RSA_WITH_DES_CBC_SHA,-TLS_RSA_WITH_NULL_MD5,-TLS_RSA_WITH_NULL_SHA,-
    TLS_DHE_DSS_WITH_DES_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-
    TLS_DHE_RSA_WITH_DES_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+T
    LS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,
    +TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_RC4_128_SH
    A

    Note:

    The entry contains the result from step 5 and the modifications made to define which ciphers are enabled or disabled.
    To avoid any issues, make sure that there is no space or carriage return within the one-liner entry.

    Ensure that the created /var/tmp/<filename>.txt cipher file contains the needed cipher configurations because
    the Enabling or disabling ciphers in directory server operation always overwrites the existing cipher configuration.

    8. Apply updates in the nSSL3 ciphers entry by entering:

    [root]# /opt/cpf/bin/cpfrhdsconf_configure_instance_parameters.sh --DN='cn=encryption,cn=config'


    --attribute=nsSSL3Ciphers --value=$(cat /var/tmp/<filename>.txt)

    For example:

    [root]# /opt/cpf/bin/cpfrhdsconf_configure_instance_parameters.sh --DN='cn=encryption,cn=config'


    --attribute=nsSSL3Ciphers --value=$(cat /var/tmp/cipher_input.txt)

    Sample output

    /opt/cpf/bin/cpfrhdsconf_configure_instance_parameters.sh begins
    Setting value of nsSSL3Ciphers in cn=encryption,cn=config to +all,-SSL_CK_RC4_128_WITH_MD5,-
    SSL_CK_RC4_128_EXPORT40_WITH_MD5,
    ... -TLS_DHE_DSS_WITH_RC4_128_SHA
    /opt/cpf/bin/cpfrhdsconf_configure_instance_parameters.sh ends

    cudovm01.netact.nsn-rdnet.net/N22_FP2305/index.jsp?topic=%2Fadministering_netact_system_security_base%2Fconcepts%2Fhardening_dirsrv.html 2/5
    11/7/23, 4:26 PM Enabling or disabling ciphers in directory server
    9. Copy the created cipher file to the VM hosting the dirsrv-secondary service by entering:

    [root]# scp /var/tmp/<filename>.txt omc@<hostname_dirsrv_secondary>:/var/tmp

    For example:

    [root]# scp /var/tmp/cipher_input.txt omc@custvm05:/var/tmp


    omc@custvm05's password:

    Note:
    When prompted, enter the password of omc user.

    Sample output

    cipher_input.txt 100% 522 33.4KB/s 00:00

    10. Log in to the VM hosting the dirsrv-secondary service as omc user and switch to root user.

    11. Update nSSL3 ciphers on the VM hosting dirsrv-secondary service by entering:

    [root]# /opt/cpf/bin/cpfrhdsconf_configure_instance_parameters.sh --
    DN='cn=encryption,cn=config' --attribute=nsSSL3Ciphers --value=$(cat /var/tmp/<filename>.txt)

    For example:

    [root]# /opt/cpf/bin/cpfrhdsconf_configure_instance_parameters.sh --DN='cn=encryption,cn=config'


    --attribute=nsSSL3Ciphers --value=$(cat /var/tmp/cipher_input.txt)

    Sample output

    /opt/cpf/bin/cpfrhdsconf_configure_instance_parameters.sh begins
    Setting value of nsSSL3Ciphers in cn=encryption,cn=config to +all,-SSL_CK_RC4_128_WITH_MD5,-
    SSL_CK_RC4_128_EXPORT40_WITH_MD5,
    ... -TLS_DHE_DSS_WITH_RC4_128_SHA
    /opt/cpf/bin/cpfrhdsconf_configure_instance_parameters.sh ends

    12. Restart the directory server on the VM hosting the dirsrv-secondary service by entering:

    [root]# systemctl restart cpfdirsrv

    a. Check whether the dirsrv-secondary is active by entering:

    [root]# systemctl is-active cpfdirsrv

    Sample output

    cudovm01.netact.nsn-rdnet.net/N22_FP2305/index.jsp?topic=%2Fadministering_netact_system_security_base%2Fconcepts%2Fhardening_dirsrv.html 3/5
    11/7/23, 4:26 PM Enabling or disabling ciphers in directory server

    active

    13. Log in to the VM hosting the dirsrv service as omc user and switch to root user.

    14. Restart the directory server by entering:

    [root]# systemctl restart cpfdirsrv

    a. Check the status by entering:

    [root]# systemctl is-active cpfdirsrv

    Sample output

    active

    15. Remove dirsrv and dirsrv-secondary services from the maintenance mode.

    a. Remove the dirsrv service from the maintenance mode by entering:

    [root]# smanager.pl maintenance dirsrv off

    Expected outcome

    Service dirsrv maintenance mode is set to off

    b. Remove the dirsrv-secondary service from the maintenance mode by entering:

    [root]# smanager.pl maintenance dirsrv-secondary off

    Expected outcome

    Service dirsrv-secondary maintenance mode is set to off

    16. Verify that the changes are reflected by repeating step 5 on dirsrv and dirsrv-secondary VMs.

    17. Remove the /var/tmp/<filename>.txt on both dirsrv VMs by entering:

    [root]# rm -rf /var/tmp/<filename>.txt

    Supported dirsrv ciphers

    Parent topic: Managing TLS ciphers in directory server

    Administering NetAct System Security • DN0979438_C • Platform-22.0.23.357

    cudovm01.netact.nsn-rdnet.net/N22_FP2305/index.jsp?topic=%2Fadministering_netact_system_security_base%2Fconcepts%2Fhardening_dirsrv.html 4/5
    11/7/23, 4:26 PM Enabling or disabling ciphers in directory server
    © 2021 Nokia. All rights reserved.

    cudovm01.netact.nsn-rdnet.net/N22_FP2305/index.jsp?topic=%2Fadministering_netact_system_security_base%2Fconcepts%2Fhardening_dirsrv.html 5/5

    You might also like