Use this page to specify the security settings to be used with this Directory Server:
- Enabled
- Check this to specify that the directory server will use a TLS connection.
- TLS Port
- The port the directory server will use for TLS connections.
- Use Custom Certificates
- If TLS is enabled, check this option and specify the paths for root certificates, server certificate, key file, and passphrase.
In addition, the MF_ROOT_CERT environment variable will need to be set to the root-certificates file path.
- Certificate File
- Specifies the absolute path to the certificate file (.pem). If multiple certificates are used, separate the paths with a semicolon ';'.
- Keyfile
- Specifies the absolute path to the keyfile (.pem).
- Keyfile Password
- The password for the keyfile specify it here. If multiple keyfiles are used, separate the passwords with four colons '::::'.
Note: You can use the
Micro Focus Vault Facility to store a secret for the certificate and keyfile pass phrases. This takes the following form:
mfsecret:configuration-name:secret-path
or:
mfsecret::secret-path
or:
mfsecret:secret-path
Advanced
- Certificate Password
- If the certificate is locked with a password, specify it here. If multiple certificates are used, then separate the passwords
with two colons '::'.
- Honor Server Cipher List
- By default, the Honor Server Cipher List is checked. This forces clients to use the protocols and cipher suites specified
in order of their priority.
- Protocols
- The list of TLS protocols to be used, in order of precedence. Each specified protocol is preceded by one of the following
operators:
- !
- Exclude: Permanently exclude the protocol and ignore any subsequent attempt to add the protocol back in.
- +
- Add: Add the protocol to the existing collection.
- -
- Delete: Delete the protocol from the existing collection. For example, to only use TLS1.1 and TLS1.2, type:
-ALL+TLS1.1+TLS1.2
Note: The Protocols field now supports TLS1.3.
- Cipher Suites
- Specifies the priority of cipher suites to be used. The cipher suite priority is formed using a combination of keywords and
keyword modifiers for a space-separated string:
- !
- Exclude: Permanently exclude the cipher suite and ignore any subsequent attempt to add the cipher suite back in.
- +
- Add: Add the cipher suite to the end of the collection.
- -
- Delete: Delete the cipher suite from the existing collection. By default, the following cipher suite list is used:
kEECDH+ECDSA kEECDH kEDH HIGH MEDIUM +3DES +SHA !RC4 !aNULL
!eNULL !LOW !MD5 !EXP
- Diffie-Hellman Minimum Group Size
- Specifies the size in bits of the modulus length of the Diffie-Hellman group:
- Default
- 512 bit
- 1024 bit
- 2048 bit
- 4096 bit
Note: Micro Focus recommends a minimum modulus size of 2048 bits.
- Key Exchange Cipher Groups
- The key exchange cipher groups to be used, separated by semicolons ';'. For example:
secp521r1;secp384r1;prime256v1;secp256k1;secp224r1;secp224k1;prime192v1