From ee817dac6a5a37dab7315162e4d4d8dbb478479d Mon Sep 17 00:00:00 2001
From: Mark Craig <mark.craig@forgerock.com>
Date: Thu, 13 Dec 2012 09:35:58 +0000
Subject: [PATCH] CR-1063 Fix for OPENDJ-650: Update root DSE example in dev guide
---
opendj-sdk/opendj3/src/main/docbkx/dev-guide/chap-getting-directory-info.xml | 46 ++++++++++++++-
opendj-sdk/opendj3/src/main/docbkx/admin-guide/chap-listeners.xml | 84 +++++++++++++++++++++++++++
2 files changed, 126 insertions(+), 4 deletions(-)
diff --git a/opendj-sdk/opendj3/src/main/docbkx/admin-guide/chap-listeners.xml b/opendj-sdk/opendj3/src/main/docbkx/admin-guide/chap-listeners.xml
index b75f274..6ca45b6 100644
--- a/opendj-sdk/opendj3/src/main/docbkx/admin-guide/chap-listeners.xml
+++ b/opendj-sdk/opendj3/src/main/docbkx/admin-guide/chap-listeners.xml
@@ -304,7 +304,89 @@
</step>
</procedure>
</section>
-
+
+ <section xml:id="tls-protocols-cipher-suites">
+ <title>TLS Protocols & Cipher Suites</title>
+ <indexterm>
+ <primary>TLS</primary>
+ </indexterm>
+
+ <para>By default OpenDJ supports the SSL and TLS protocols and the cipher
+ suites supported by the underlying Java virtual machine. For details see the
+ documentation for the Java virtual machine in which you run OpenDJ. For Oracle
+ Java, see the <citetitle>Java Cryptography Architecture Oracle Providers
+ Documentation</citetitle> for the <link xlink:show="new"
+ xlink:href="http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider"
+ >The <literal>SunJSSE</literal> Provider</link>.</para>
+
+ <para>To list the available protocols and cipher suites, read the
+ <literal>supportedTLSProtocols</literal> and
+ <literal>supportedTLSCiphers</literal> attributes of the root DSE. Install
+ unlimited strength Java cryptography extensions for stronger ciphers.</para>
+
+ <screen
+ >$ ldapsearch --port 1389 --baseDN "" --searchScope base "(objectclass=*)"
+ supportedTLSCiphers supportedTLSProtocols
+dn:
+supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_RSA_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+supportedTLSCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
+supportedTLSCiphers: SSL_RSA_WITH_RC4_128_SHA
+supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+supportedTLSCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
+supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: SSL_RSA_WITH_RC4_128_MD5
+supportedTLSCiphers: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+supportedTLSProtocols: SSLv2Hello
+supportedTLSProtocols: SSLv3
+supportedTLSProtocols: TLSv1
+supportedTLSProtocols: TLSv1.1
+supportedTLSProtocols: TLSv1.2
+</screen>
+
+ <para>You can restrict the list of protocols and cipher suites used by setting
+ the <literal>ssl-protocol</literal> and <literal>ssl-cipher-suite</literal>
+ connection handler properties to include only the protocols or cipher suites
+ you want.</para>
+
+ <para>For example, to restrict the cipher suites to
+ <literal>TLS_EMPTY_RENEGOTIATION_INFO_SCSV</literal> and
+ <literal>TLS_RSA_WITH_AES_256_CBC_SHA</literal> use the <command>dsconfig
+ set-connection-handler-prop</command> command as shown in the following
+ example.</para>
+
+ <screen>$ dsconfig
+ set-connection-handler-prop
+ --port 4444
+ --hostname opendj.example.com
+ --bindDN "cn=Directory Manager"
+ --bindPassword password
+ --handler-name "LDAPS Connection Handler"
+ --add ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+ --add ssl-cipher-suite:TLS_RSA_WITH_AES_256_CBC_SHA
+ --no-prompt
+ --trustAll</screen>
+ </section>
+
<section xml:id="setup-dsml">
<title>DSML Client Access</title>
<indexterm><primary>DSML</primary></indexterm>
diff --git a/opendj-sdk/opendj3/src/main/docbkx/dev-guide/chap-getting-directory-info.xml b/opendj-sdk/opendj3/src/main/docbkx/dev-guide/chap-getting-directory-info.xml
index 48ae9c2..edc9b06 100644
--- a/opendj-sdk/opendj3/src/main/docbkx/dev-guide/chap-getting-directory-info.xml
+++ b/opendj-sdk/opendj3/src/main/docbkx/dev-guide/chap-getting-directory-info.xml
@@ -134,12 +134,42 @@
supportedSASLMechanisms: CRAM-MD5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
+etag: 00000000e9155ba0
pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
subschemaSubentry: cn=schema
+changelog: cn=changelog
+supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_RSA_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+supportedTLSCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
+supportedTLSCiphers: SSL_RSA_WITH_RC4_128_SHA
+supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+supportedTLSCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
+supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: SSL_RSA_WITH_RC4_128_MD5
+supportedTLSCiphers: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
ds-private-naming-contexts: cn=admin data
ds-private-naming-contexts: cn=ads-truststore
ds-private-naming-contexts: cn=backups
@@ -147,21 +177,31 @@
ds-private-naming-contexts: cn=monitor
ds-private-naming-contexts: cn=schema
ds-private-naming-contexts: cn=tasks
+ds-private-naming-contexts: dc=replicationChanges
+supportedTLSProtocols: SSLv2Hello
+supportedTLSProtocols: SSLv3
+supportedTLSProtocols: TLSv1
+supportedTLSProtocols: TLSv1.1
+supportedTLSProtocols: TLSv1.2
numSubordinates: 1
-structuralObjectClass: ds-root-dse
namingContexts: dc=example,dc=com
+structuralObjectClass: ds-root-dse
+lastExternalChangelogCookie:
+lastChangeNumber: 0
+firstChangeNumber: 0
supportedExtension: 1.3.6.1.1.8
supportedExtension: 1.3.6.1.4.1.26027.1.6.1
supportedExtension: 1.3.6.1.4.1.26027.1.6.2
supportedExtension: 1.3.6.1.4.1.26027.1.6.3
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
-supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.4.1.1466.20037
+supportedExtension: 1.3.6.1.4.1.4203.1.11.3
vendorName: ForgeRock AS.
vendorVersion: OpenDJ 2.5.0
hasSubordinates: true
+entryDN:
entryUUID: d41d8cd9-8f00-3204-a980-0998ecf8427e
-entryDN: </screen>
+</screen>
<para>Three key pieces of information in the entry shown above are attribute
values for <literal>namingContexts</literal> (showing the base DNs under
--
Gitblit v1.10.0