Disabling SSLv3 on eDirectory 9.0 & FIPS mode

  • 7017230
  • 05-Feb-2016
  • 05-Feb-2016


NetIQ eDirectory 9.0
NetIQ iManager 3.0


When using iManager 3.0 to disable SSLv3 on the LDAP server object no Connections tab is visible.

How is SSLv3 disabled on eDirectory's HTTP stack?

How to protect the server from the Poodle vulnerability.

How to disable FIPS mode.


HTTP: eDirectory 9.0 has removed SSLv3 from the list of supported protocols for the HTTP stack. 

LDAP: eDirectory 9.0 is installed in FIPS mode by default.  Therefore, SSLv3 is not allowed and is disabled. 
However, there are older LDAP clients that may be in use that do not support TLS or the newer certificates.  Therefore, FIPS mode can be turned off and LDAP can be configured such that SSLv3 is once again allowed.

FIPS mode can also be turned off and SSLv3 disabled so that the system is not as restrictive on protocols but the server is still protected from the Poodle vulnerability.

1. Turn FIPS mode off by modifying the nds.conf file and setting the following value:
Then restart NDSD.

2. Log into iManager 3.0 and navigate to LDAP - LDAP Options - Connections.  Then select whether to disable SSLv3 on LDAP.  It is recommended to do so if older clients are no longer in use.

If the Connections tab is still not visable in iManager then Tomcat must be restarted as well.