Appendix D Configuring SVOM

When the version of SVOM being used by ROR is 6.10 or later and 7.10 or earlier, it is necessary to modify the TLS/SSL communication settings used by SVOM. On the coordinated ROR admin server, perform the following procedure to modify the settings.

1. Stop the ROR manager.

   See

   For details on how to stop the manager, refer to the manuals for ROR.

2. Edit the following file:

   <SVOM_installation_folder>\jboss\standalone\configuration\standalone.xml

   Search for the XML section <subsystem xmlns="urn:jboss:domain:web:1.1"...> and then add the cipher-suite attribute to the <ssl...> element as follows.

   [Before modifying]

   <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
   <configuration>
   <jsp-configuration x-powered-by="false" display-source-fragment="false"/>
   </configuration>
   <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
   <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
   <ssl name="https" password="changeit" certificate-key-file="../standalone/svconf/pki/keystore" verifyclient="
   false"/>
   </connector>
   <virtual-server name="default-host" enable-welcome-root="false"/>
   </subsystem>

   [After modifying]

   <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
   <configuration>
   <jsp-configuration x-powered-by="false" display-source-fragment="false"/>
   </configuration>
   <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
   <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
   <ssl name="https" password="changeit" certificate-key-file="../standalone/svconf/pki/keystore" cipher-suite="
   TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_
   CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,TLS_RSA_WITH_NULL_SHA256,SSL_RSA_WITH_NULL_SHA,S
   SL_RSA_WITH_DES_CBC_SHA,SSL_RSA_WITH_NULL_MD5,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_
   KRB5_WITH_RC4_128_SHA,TLS_KRB5_WITH_RC4_128_MD5,TLS_KRB5_WITH_3DES_EDE_CBC_SHA,TLS_KRB5_WITH_3DES_EDE_CBC_MD5,TLS_K
   RB5_WITH_DES_CBC_SHA,TLS_KRB5_WITH_DES_CBC_MD5,TLS_KRB5_EXPORT_WITH_RC4_40_SHA,TLS_KRB5_EXPORT_WITH_RC4_40_MD5,TLS_
   KRB5_EXPORT_WITH_DES_CBC_40_SHA,TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" verify-client="false"/>
   </connector>
   <virtual-server name="default-host" enable-welcome-root="false"/>
   </subsystem>

   Note

   If the cipher-suite attribute has been specified, modify the attribute value such that it does not contain any values not listed in the cipher suites described above.

3. Edit the following file:

   <SVOM_installation_folder>\opends\config\schema\02-config.ldif

4. In the objectClasses declaration for "ds-cfg-administration-connector", modify the MAY line as follows.

   [Before modifying]

   objectClasses: ( 1.3.6.1.4.1.26027.1.2.183
   NAME 'ds-cfg-administration-connector'
   SUP top
   STRUCTURAL
   MUST ( cn $
   ds-cfg-listen-port $
   ds-cfg-key-manager-provider $
   ds-cfg-trust-manager-provider $
   ds-cfg-ssl-cert-nickname )
   MAY ( ds-cfg-listen-address )
   X-ORIGIN 'OpenDS Directory Server' )

   [After modifying]

   objectClasses: ( 1.3.6.1.4.1.26027.1.2.183
   NAME 'ds-cfg-administration-connector'
   SUP top
   STRUCTURAL
   MUST ( cn $
   ds-cfg-listen-port $
   ds-cfg-key-manager-provider $
   ds-cfg-trust-manager-provider $
   ds-cfg-ssl-cert-nickname )
   MAY ( ds-cfg-listen-address )
   MAY ( ds-cfg-listen-address $ ds-cfg-ssl-cipher-suite $ ds-cfg-ssl-protocol )
   X-ORIGIN 'OpenDS Directory Server' )

5. Edit the following file:

   <SVOM_installation_folder>\opends\config\config.ldif

6. For the entry cn=LDAPS Connection Handler,cn=Connection Handlers,cn=config, add the ds-cfg-ssl-cipher-suite and ds-cfg-ssl-protocol attributes as follows.

   [Before modifying]

   dn: cn=LDAPS Connection Handler,cn=Connection Handlers,cn=config
   objectClass: ds-cfg-ldap-connection-handler
   objectClass: top
   objectClass: ds-cfg-connection-handler
   ds-cfg-ssl-client-auth-policy: optional
   ds-cfg-key-manager-provider: cn=JKS,cn=Key Manager Providers,cn=config
   ds-cfg-ssl-cert-nickname: svs_cms
   ds-cfg-trust-manager-provider: cn=JKS,cn=Trust Manager Providers,cn=config
   ds-cfg-max-blocked-write-time-limit: 2 minutes
   ds-cfg-allow-tcp-reuse-address: true
   ds-cfg-allow-start-tls: false
   ds-cfg-send-rejection-notice: true
   ds-cfg-allow-ldap-v2: true
   cn: LDAPS Connection Handler
   ds-cfg-use-tcp-no-delay: true
   ds-cfg-enabled: true
   ds-cfg-java-class: org.opends.server.protocols.ldap.LDAPConnectionHandler
   ds-cfg-keep-stats: true
   ds-cfg-max-request-size: 5 megabytes
   ds-cfg-accept-backlog: 128
   ds-cfg-buffer-size: 4096 bytes
   ds-cfg-listen-address: 0.0.0.0
   ds-cfg-num-request-handlers: 2
   ds-cfg-listen-port: 1474
   ds-cfg-use-ssl: true
   ds-cfg-use-tcp-keep-alive: true

   [After modifying]

   dn: cn=LDAPS Connection Handler,cn=Connection Handlers,cn=config
   objectClass: ds-cfg-ldap-connection-handler
   objectClass: top
   objectClass: ds-cfg-connection-handler
   ds-cfg-ssl-client-auth-policy: optional
   ds-cfg-key-manager-provider: cn=JKS,cn=Key Manager Providers,cn=config
   ds-cfg-ssl-cert-nickname: svs_cms
   ds-cfg-trust-manager-provider: cn=JKS,cn=Trust Manager Providers,cn=config
   ds-cfg-max-blocked-write-time-limit: 2 minutes
   ds-cfg-allow-tcp-reuse-address: true
   ds-cfg-allow-start-tls: false
   ds-cfg-send-rejection-notice: true
   ds-cfg-allow-ldap-v2: true
   cn: LDAPS Connection Handler
   ds-cfg-use-tcp-no-delay: true
   ds-cfg-enabled: true
   ds-cfg-java-class: org.opends.server.protocols.ldap.LDAPConnectionHandler
   ds-cfg-keep-stats: true
   ds-cfg-max-request-size: 5 megabytes
   ds-cfg-accept-backlog: 128
   ds-cfg-buffer-size: 4096 bytes
   ds-cfg-listen-address: 0.0.0.0
   ds-cfg-num-request-handlers: 2
   ds-cfg-listen-port: 1474
   ds-cfg-use-ssl: true
   ds-cfg-ssl-cipher-suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
   ds-cfg-ssl-cipher-suite: SSL_DH_anon_WITH_RC4_128_MD5
   ds-cfg-ssl-cipher-suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
   ds-cfg-ssl-cipher-suite: SSL_RSA_WITH_NULL_MD5
   ds-cfg-ssl-cipher-suite: SSL_RSA_WITH_NULL_SHA
   ds-cfg-ssl-cipher-suite: SSL_RSA_WITH_RC4_128_MD5
   ds-cfg-ssl-cipher-suite: SSL_RSA_WITH_RC4_128_SHA
   ds-cfg-ssl-cipher-suite: TLS_ECDH_anon_WITH_NULL_SHA
   ds-cfg-ssl-cipher-suite: TLS_ECDH_anon_WITH_RC4_128_SHA
   ds-cfg-ssl-cipher-suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
   ds-cfg-ssl-cipher-suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
   ds-cfg-ssl-cipher-suite: TLS_ECDH_RSA_WITH_NULL_SHA
   ds-cfg-ssl-cipher-suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
   ds-cfg-ssl-cipher-suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
   ds-cfg-ssl-cipher-suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
   ds-cfg-ssl-cipher-suite: TLS_ECDHE_RSA_WITH_NULL_SHA
   ds-cfg-ssl-cipher-suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
   ds-cfg-ssl-cipher-suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
   ds-cfg-ssl-cipher-suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
   ds-cfg-ssl-cipher-suite: TLS_KRB5_WITH_RC4_128_MD5
   ds-cfg-ssl-cipher-suite: TLS_KRB5_WITH_RC4_128_SHA
   ds-cfg-ssl-cipher-suite: TLS_RSA_WITH_NULL_SHA256
   ds-cfg-ssl-protocol: SSLv2Hello
   ds-cfg-ssl-protocol: SSLv3
   ds-cfg-ssl-protocol: TLSv1
   ds-cfg-use-tcp-keep-alive: true

   Note

   If the ds-cfg-ssl-cipher-suite or ds-cfg-ss-protocol attribute has been specified, modify the attribute value such that it does not contain any values not listed in the cipher suites or communication protocols described above.

7. In the same configuration file, modify the ds-cfg-listen-address attribute of the entry dn: cn=Administration Connector,cn=config as follows.

   [Before modifying]

   dn: cn=Administration Connector,cn=config
   objectClass: ds-cfg-administration-connector
   objectClass: top
   ds-cfg-listen-address: 0.0.0.0
   ds-cfg-listen-port: 4444
   cn: Administration Connector
   ds-cfg-key-manager-provider: cn=Administration,cn=Key Manager Providers,cn=config
   ds-cfg-ssl-cert-nickname: svs_cms
   ds-cfg-trust-manager-provider: cn=Administration,cn=Trust Manager Providers,cn=config
   -manager-provider: cn=Administration,cn=Trust Manager Providers,cn=config

   [After modifying]

   dn: cn=Administration Connector,cn=config
   objectClass: ds-cfg-administration-connector
   objectClass: top
   ds-cfg-listen-address: 127.0.0.1
   ds-cfg-listen-port: 4444
   cn: Administration Connector
   ds-cfg-key-manager-provider: cn=Administration,cn=Key Manager Providers,cn=config
   ds-cfg-ssl-cert-nickname: svs_cms
   ds-cfg-trust-manager-provider: cn=Administration,cn=Trust Manager Providers,cn=config

8. Restart ROR. Execute the following command:

   net stop "SVJBASSVC"
   net start "SVJBASSVC"

9. Start the ROR manager.

   See

   For details on how to start the manager, refer to the manuals for ROR.