Note: this component has a complexity level of "expert", which means that objects of this type are not expected to be created or altered. Please contact support for assistance if you believe that you have a need to create or modify this type of object.
The Crypto Manager provides a common interface for performing compression, decompression, hashing, encryption and other kinds of cryptographic operations.
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ ssl-protocol | ↓ digest-algorithm |
| ↓ ssl-cipher-suite | ↓ mac-algorithm |
| ↓ outbound-ssl-protocol | ↓ mac-key-length |
| ↓ outbound-ssl-cipher-suite | ↓ cipher-transformation |
| ↓ enable-sha-1-cipher-suites | ↓ cipher-key-length |
| ↓ enable-rsa-key-exchange-cipher-suites | ↓ key-wrapping-transformation |
| ↓ ssl-cert-nickname |
| Description | Specifies the names of TLS protocols that are allowed for use in secure communication. This property directly controls the set of TLS protocols that will be used for replication. Connection handlers will also inherit the value of this property to determine the set of TLS protocols that they will support by default, but that may be overridden on a per-connection-handler basis with the ssl-protocol property in the connection handler configuration. If no values are provided, the server will automatically select an appropriate set of secure TLS protocols to enable by default. Allowed values depend on what is supported in the underlying JVM and can be found in the "cn=SSL Context,cn=monitor" entry, but supported values typically include some or all of the following:
|
| Default Value | Automatically select an appropriate set of secure TLS protocols to enable by default. |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | The Directory Server must be restarted for changes to this setting to take effect. For a connection handler that inherits its TLS protocol configuration from the crypto manager, changes to the set of enabled TLS protocols in the crypto manager will only take effect for that connection handler after it is disabled and re-enabled or after the server is restarted. Changes to the TLS protocols allowed for replication will only take effect after a server restart. |
| Description | Specifies the names of the TLS cipher suites that are allowed for use in secure communication. This property directly controls the set of TLS cipher suites that will be used for replication. Connection handlers will also inherit the value of this property to determine the set of TLS cipher suites that they will support by default, but that may be overridden on a per-connection-handler basis with the ssl-cipher-suite property in the connection handler configuration. If no values are provided, the server will automatically select a set of cipher suites that provide a combination of good security and client compatibility. You can specify the exact set of TLS cipher suites that should be enabled by providing the names of those suites as the value for this property. Alternatively, you can amend the set of TLS cipher suites that would be chosen by default by specifying values that are pre-pended with either a '+' or a '-' character. Using a '+' will add the specified suite to the default set. Likewise, a '-' will remove the specified suite from the default set. Exact values cannot be combined with a set of modifications to the default suites. The set of cipher suites available for use in the JVM can be found in the "cn=SSL Context,cn=monitor" entry. |
| Default Value | Automatically select an appropriate set of secure TLS cipher suites to enable by default. |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | The Directory Server must be restarted for changes to this setting to take effect. For a connection handler that inherits its TLS cipher suite configuration from the crypto manager, changes to the set of enabled TLS cipher suites in the crypto manager will only take effect for that connection handler after it is disabled and re-enabled or after the server is restarted. Changes to the TLS cipher suites allowed for replication will only take effect after a server restart. |
| Description | Specifies the names of the TLS protocols that will be enabled for outbound connections initiated by the Directory Server. If no values are provided, the server will automatically select an appropriate set of secure TLS protocols to enable by default. Allowed values depend on what is supported in the underlying JVM and can be found in the "cn=SSL Context,cn=monitor" entry, but supported values typically include some or all of the following:
|
| Default Value | Automatically select an appropriate set of secure TLS protocols to enable by default. |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Changes to this property take effect immediately but only impact new outbound TLS sessions negotiated after the change. |
| Description | Specifies the names of the TLS cipher suites that will be enabled for outbound connections initiated by the Directory Server. If no values are provided, the server will automatically select a set of cipher suites that provide a combination of good security and client compatibility. You can specify the exact set of TLS cipher suites that should be enabled by providing the names of those suites as the value for this property. Alternatively, you can amend the set of TLS cipher suites that would be chosen by default by specifying values that are pre-pended with either a '+' or a '-' character. Using a '+' will add the specified suite to the default set. Likewise, a '-' will remove the specified suite from the default set. Exact values cannot be combined with a set of modifications to the default suites. The set of cipher suites available for use in the JVM can be found in the "cn=SSL Context,cn=monitor" entry. |
| Default Value | Automatically select an appropriate set of secure TLS cipher suites to enable by default. |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Changes to this property take effect immediately but only impact new outbound TLS sessions negotiated after the change. |
| Description | Indicates whether to enable support for TLS cipher suites that use the SHA-1 digest algorithm. The SHA-1 digest algorithm is no longer considered secure and is not recommended for use. This property controls the default behavior for TLS sessions associated with both inbound and outbound TLS sessions. It may be overridden by setting an explicit set of TLS cipher suites to use in the ssl-cipher-suite or outbound-ssl-cipher-suite properties. If those properties are used to augment the default set of cipher suites, then this property controls whether SHA-1 suites may be included in the base set of default suites to be augmented. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The Directory Server must be restarted for changes to this setting to take effect. For outbound connections, changes to this property take effect immediately but only impact new TLS sessions negotiated after the change.
For inbound connections to a connection handler that inherits its TLS cipher suite configuration from the crypto manager, changes to the set of enabled TLS cipher suites in the crypto manager will only take effect for that connection handler after it is disabled and re-enabled or after the server is restarted. Changes to the TLS cipher suites allowed for replication will only take effect after a server restart. |
enable-rsa-key-exchange-cipher-suites
| Description | Indicates whether to enable support for TLS cipher suites that use the RSA key exchange algorithm. Cipher suites that rely on RSA key exchange are not recommended because they do not support forward secrecy, which means that if the private key is compromised, then any communication negotiated using that private key should also be considered compromised. This property controls the default behavior for TLS sessions associated with both inbound and outbound TLS sessions. It may be overridden by setting an explicit set of TLS cipher suites to use in the ssl-cipher-suite or outbound-ssl-cipher-suite properties. If those properties are used to augment the default set of cipher suites, then this property controls whether SHA-1 suites may be included in the base set of default suites to be augmented. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The Directory Server must be restarted for changes to this setting to take effect. For outbound connections, changes to this property take effect immediately but only impact new TLS sessions negotiated after the change.
For inbound connections to a connection handler that inherits its TLS cipher suite configuration from the crypto manager, changes to the set of enabled TLS cipher suites in the crypto manager will only take effect for that connection handler after it is disabled and re-enabled or after the server is restarted. Changes to the TLS cipher suites allowed for replication will only take effect after a server restart. |
| Description | Specifies the nickname (also called the alias) of the certificate that the Crypto Manager should use when performing SSL communication. This is only applicable when the Crypto Manager is configured to use SSL. |
| Default Value | Let the server decide. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The Crypto Manager must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server |
digest-algorithm (Advanced Property)
| Description | Specifies the preferred message digest algorithm for the Directory Server. |
| Default Value | SHA-1 |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Changes to this property take effect immediately and only affect cryptographic operations performed after the change. |
mac-algorithm (Advanced Property)
| Description | Specifies the preferred MAC algorithm for the Directory Server. |
| Default Value | HmacSHA1 |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Changes to this property take effect immediately but only affect cryptographic operations performed after the change. |
mac-key-length (Advanced Property)
| Description | Specifies the key length in bits for the preferred MAC algorithm. |
| Default Value | 128 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Changes to this property take effect immediately but only affect cryptographic operations performed after the change. |
cipher-transformation (Advanced Property)
| Description | Specifies the cipher for the Directory Server using the syntax algorithm/mode/padding. The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding. |
| Default Value | AES/CBC/PKCS5Padding |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Changes to this property take effect immediately but only affect cryptographic operations performed after the change. |
cipher-key-length (Advanced Property)
| Description | Specifies the key length in bits for the preferred cipher. |
| Default Value | 128 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Changes to this property take effect immediately but only affect cryptographic operations performed after the change. |
key-wrapping-transformation (Advanced Property)
| Description | The preferred key wrapping transformation for the Directory Server. This value must be the same for all server instances in a replication topology. |
| Default Value | RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Changes to this property will take effect immediately but will only affect cryptographic operations performed after the change. |
To view the Crypto Manager configuration:
dsconfig get-crypto-manager-prop
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the Crypto Manager configuration:
dsconfig set-crypto-manager-prop
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...