external-software/github_OpenIdentityPlatform_OpenDJ.git

parent: 93108a82 | patch | commit | ignore whitespace

CR-1063 Fix for OPENDJ-650: Update root DSE example in dev guide

Mark Craig

13.35.2012 b9090734f4b288d3392803146744a4344e4b5ac8

CR-1063 Fix for OPENDJ-650: Update root DSE example in dev guide

2 files modified

	opendj3/src/main/docbkx/admin-guide/chap-listeners.xml	84 ●●●●● patch \| view \| raw \| blame \| history
	opendj3/src/main/docbkx/dev-guide/chap-getting-directory-info.xml	46 ●●●●● patch \| view \| raw \| blame \| history

 opendj3/src/main/docbkx/admin-guide/chap-listeners.xml

@@ -304,7 +304,89 @@
   </step>
  </procedure>
 </section>
 

 <section xml:id="tls-protocols-cipher-suites">
  <title>TLS Protocols &amp; Cipher Suites</title>
  <indexterm>
   <primary>TLS</primary>
  </indexterm>

  <para>By default OpenDJ supports the SSL and TLS protocols and the cipher
  suites supported by the underlying Java virtual machine. For details see the
  documentation for the Java virtual machine in which you run OpenDJ. For Oracle
  Java, see the <citetitle>Java Cryptography Architecture Oracle Providers
  Documentation</citetitle> for the <link xlink:show="new"
  xlink:href="http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider"
  >The <literal>SunJSSE</literal> Provider</link>.</para>

  <para>To list the available protocols and cipher suites, read the
  <literal>supportedTLSProtocols</literal> and
  <literal>supportedTLSCiphers</literal> attributes of the root DSE. Install
  unlimited strength Java cryptography extensions for stronger ciphers.</para>

  <screen
  >$ ldapsearch --port 1389 --baseDN "" --searchScope base "(objectclass=*)"
 supportedTLSCiphers supportedTLSProtocols
dn:
supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
supportedTLSCiphers: TLS_RSA_WITH_AES_128_CBC_SHA256
supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
supportedTLSCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
supportedTLSCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
supportedTLSCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
supportedTLSCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
supportedTLSCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
supportedTLSCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
supportedTLSCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
supportedTLSCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
supportedTLSCiphers: SSL_RSA_WITH_RC4_128_SHA
supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
supportedTLSCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedTLSCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
supportedTLSCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedTLSCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
supportedTLSCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
supportedTLSCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
supportedTLSCiphers: SSL_RSA_WITH_RC4_128_MD5
supportedTLSCiphers: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
supportedTLSProtocols: SSLv2Hello
supportedTLSProtocols: SSLv3
supportedTLSProtocols: TLSv1
supportedTLSProtocols: TLSv1.1
supportedTLSProtocols: TLSv1.2
</screen>

  <para>You can restrict the list of protocols and cipher suites used by setting
  the <literal>ssl-protocol</literal> and <literal>ssl-cipher-suite</literal>
  connection handler properties to include only the protocols or cipher suites
  you want.</para>

  <para>For example, to restrict the cipher suites to
  <literal>TLS_EMPTY_RENEGOTIATION_INFO_SCSV</literal> and
  <literal>TLS_RSA_WITH_AES_256_CBC_SHA</literal> use the <command>dsconfig
  set-connection-handler-prop</command> command as shown in the following
  example.</para>

  <screen>$ dsconfig
   set-connection-handler-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "LDAPS Connection Handler"
 --add ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV
 --add ssl-cipher-suite:TLS_RSA_WITH_AES_256_CBC_SHA
 --no-prompt
 --trustAll</screen>
 </section>

  <section xml:id="setup-dsml">
  <title>DSML Client Access</title>
  <indexterm><primary>DSML</primary></indexterm>

 opendj3/src/main/docbkx/dev-guide/chap-getting-directory-info.xml

@@ -134,12 +134,42 @@
supportedSASLMechanisms: CRAM-MD5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
etag: 00000000e9155ba0
pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
subschemaSubentry: cn=schema
changelog: cn=changelog
supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
supportedTLSCiphers: TLS_RSA_WITH_AES_128_CBC_SHA256
supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
supportedTLSCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
supportedTLSCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
supportedTLSCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
supportedTLSCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
supportedTLSCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
supportedTLSCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
supportedTLSCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
supportedTLSCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
supportedTLSCiphers: SSL_RSA_WITH_RC4_128_SHA
supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
supportedTLSCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedTLSCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
supportedTLSCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedTLSCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
supportedTLSCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
supportedTLSCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
supportedTLSCiphers: SSL_RSA_WITH_RC4_128_MD5
supportedTLSCiphers: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
ds-private-naming-contexts: cn=admin data
ds-private-naming-contexts: cn=ads-truststore
ds-private-naming-contexts: cn=backups
@@ -147,21 +177,31 @@
ds-private-naming-contexts: cn=monitor
ds-private-naming-contexts: cn=schema
ds-private-naming-contexts: cn=tasks
ds-private-naming-contexts: dc=replicationChanges
supportedTLSProtocols: SSLv2Hello
supportedTLSProtocols: SSLv3
supportedTLSProtocols: TLSv1
supportedTLSProtocols: TLSv1.1
supportedTLSProtocols: TLSv1.2
numSubordinates: 1
structuralObjectClass: ds-root-dse
namingContexts: dc=example,dc=com
structuralObjectClass: ds-root-dse
lastExternalChangelogCookie: 
lastChangeNumber: 0
firstChangeNumber: 0
supportedExtension: 1.3.6.1.1.8
supportedExtension: 1.3.6.1.4.1.26027.1.6.1
supportedExtension: 1.3.6.1.4.1.26027.1.6.2
supportedExtension: 1.3.6.1.4.1.26027.1.6.3
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
vendorName: ForgeRock AS.
vendorVersion: OpenDJ 2.5.0
hasSubordinates: true
entryDN: 
entryUUID: d41d8cd9-8f00-3204-a980-0998ecf8427e
entryDN: </screen>
</screen>

  <para>Three key pieces of information in the entry shown above are attribute
  values for <literal>namingContexts</literal> (showing the base DNs under

			@@ -304,7 +304,89 @@
			</step>
			</procedure>
			</section>


			<section xml:id="tls-protocols-cipher-suites">
			<title>TLS Protocols & Cipher Suites</title>
			<indexterm>
			<primary>TLS</primary>
			</indexterm>

			<para>By default OpenDJ supports the SSL and TLS protocols and the cipher
			suites supported by the underlying Java virtual machine. For details see the
			documentation for the Java virtual machine in which you run OpenDJ. For Oracle
			Java, see the <citetitle>Java Cryptography Architecture Oracle Providers
			Documentation</citetitle> for the <link xlink:show="new"
			xlink:href="http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider"
			>The <literal>SunJSSE</literal> Provider</link>.</para>

			<para>To list the available protocols and cipher suites, read the
			<literal>supportedTLSProtocols</literal> and
			<literal>supportedTLSCiphers</literal> attributes of the root DSE. Install
			unlimited strength Java cryptography extensions for stronger ciphers.</para>

			<screen
			>$ ldapsearch --port 1389 --baseDN "" --searchScope base "(objectclass=*)"
			supportedTLSCiphers supportedTLSProtocols
			dn:
			supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
			supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
			supportedTLSCiphers: TLS_RSA_WITH_AES_128_CBC_SHA256
			supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
			supportedTLSCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
			supportedTLSCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
			supportedTLSCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
			supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
			supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
			supportedTLSCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
			supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
			supportedTLSCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
			supportedTLSCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
			supportedTLSCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
			supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
			supportedTLSCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
			supportedTLSCiphers: SSL_RSA_WITH_RC4_128_SHA
			supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
			supportedTLSCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
			supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
			supportedTLSCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
			supportedTLSCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
			supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
			supportedTLSCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
			supportedTLSCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
			supportedTLSCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
			supportedTLSCiphers: SSL_RSA_WITH_RC4_128_MD5
			supportedTLSCiphers: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
			supportedTLSProtocols: SSLv2Hello
			supportedTLSProtocols: SSLv3
			supportedTLSProtocols: TLSv1
			supportedTLSProtocols: TLSv1.1
			supportedTLSProtocols: TLSv1.2
			</screen>

			<para>You can restrict the list of protocols and cipher suites used by setting
			the <literal>ssl-protocol</literal> and <literal>ssl-cipher-suite</literal>
			connection handler properties to include only the protocols or cipher suites
			you want.</para>

			<para>For example, to restrict the cipher suites to
			<literal>TLS_EMPTY_RENEGOTIATION_INFO_SCSV</literal> and
			<literal>TLS_RSA_WITH_AES_256_CBC_SHA</literal> use the <command>dsconfig
			set-connection-handler-prop</command> command as shown in the following
			example.</para>

			<screen>$ dsconfig
			set-connection-handler-prop
			--port 4444
			--hostname opendj.example.com
			--bindDN "cn=Directory Manager"
			--bindPassword password
			--handler-name "LDAPS Connection Handler"
			--add ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV
			--add ssl-cipher-suite:TLS_RSA_WITH_AES_256_CBC_SHA
			--no-prompt
			--trustAll</screen>
			</section>

			<section xml:id="setup-dsml">
			<title>DSML Client Access</title>
			<indexterm><primary>DSML</primary></indexterm>

			@@ -134,12 +134,42 @@
			supportedSASLMechanisms: CRAM-MD5
			supportedLDAPVersion: 2
			supportedLDAPVersion: 3
			etag: 00000000e9155ba0
			pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config
			supportedFeatures: 1.3.6.1.1.14
			supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
			supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
			supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
			subschemaSubentry: cn=schema
			changelog: cn=changelog
			supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
			supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
			supportedTLSCiphers: TLS_RSA_WITH_AES_128_CBC_SHA256
			supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
			supportedTLSCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
			supportedTLSCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
			supportedTLSCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
			supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
			supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
			supportedTLSCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
			supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
			supportedTLSCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
			supportedTLSCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
			supportedTLSCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
			supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
			supportedTLSCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
			supportedTLSCiphers: SSL_RSA_WITH_RC4_128_SHA
			supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
			supportedTLSCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
			supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
			supportedTLSCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
			supportedTLSCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
			supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
			supportedTLSCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
			supportedTLSCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
			supportedTLSCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
			supportedTLSCiphers: SSL_RSA_WITH_RC4_128_MD5
			supportedTLSCiphers: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
			ds-private-naming-contexts: cn=admin data
			ds-private-naming-contexts: cn=ads-truststore
			ds-private-naming-contexts: cn=backups
			@@ -147,21 +177,31 @@
			ds-private-naming-contexts: cn=monitor
			ds-private-naming-contexts: cn=schema
			ds-private-naming-contexts: cn=tasks
			ds-private-naming-contexts: dc=replicationChanges
			supportedTLSProtocols: SSLv2Hello
			supportedTLSProtocols: SSLv3
			supportedTLSProtocols: TLSv1
			supportedTLSProtocols: TLSv1.1
			supportedTLSProtocols: TLSv1.2
			numSubordinates: 1
			structuralObjectClass: ds-root-dse
			namingContexts: dc=example,dc=com
			structuralObjectClass: ds-root-dse
			lastExternalChangelogCookie:
			lastChangeNumber: 0
			firstChangeNumber: 0
			supportedExtension: 1.3.6.1.1.8
			supportedExtension: 1.3.6.1.4.1.26027.1.6.1
			supportedExtension: 1.3.6.1.4.1.26027.1.6.2
			supportedExtension: 1.3.6.1.4.1.26027.1.6.3
			supportedExtension: 1.3.6.1.4.1.4203.1.11.1
			supportedExtension: 1.3.6.1.4.1.4203.1.11.3
			supportedExtension: 1.3.6.1.4.1.1466.20037
			supportedExtension: 1.3.6.1.4.1.4203.1.11.3
			vendorName: ForgeRock AS.
			vendorVersion: OpenDJ 2.5.0
			hasSubordinates: true
			entryDN:
			entryUUID: d41d8cd9-8f00-3204-a980-0998ecf8427e
			entryDN: </screen>
			</screen>

			<para>Three key pieces of information in the entry shown above are attribute
			values for <literal>namingContexts</literal> (showing the base DNs under