Environment
Novell Access Management 3 Linux Novell Identity Server
Novell Access Manager 3
Novell Access Manager 3
Situation
With the Access Manager Identity server, a large range or high and lower security ciphers are supported for SSL connections to the service. No option exists, as with the Access Gateway, to allow allow high security connections to the box. SInce the identity server is a tomcat based application, one could theoretically restrict ciphers at the tomcat level so that the application sitting on top of tomcat could benefit.
A test was done where the NIDP connector in the Identity server tomcat's server.xml file was modified to specifically include a cipher eg. ciphers="SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA". Restarting the tomcat engine confirmed that the Identity Server reinitialised correctly. However, using openssl to view the ciphers supported by the tomcat server showed the same list of ciphers available before the above changes ie. the changes made no impact whatsoever.
A test was done where the NIDP connector in the Identity server tomcat's server.xml file was modified to specifically include a cipher eg. ciphers="SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA". Restarting the tomcat engine confirmed that the Identity Server reinitialised correctly. However, using openssl to view the ciphers supported by the tomcat server showed the same list of ciphers available before the above changes ie. the changes made no impact whatsoever.
Resolution
The version of tomcat that our Identity server ships with (1.4) has issues with the cipher option (http://tomcat.apache.org/tomcat-4.1-doc/ssl-howto.html#Edit%20the%20Tomcat%20Configuration%20File). Tomcat 1.5 doesn't have any issues with this. The next version of Access Manager will be using the updated tomcat engine and it will therefor to restrict ciphers at this level.