Yes. In ds.conf set the FIPS state. LDAP automagically sets the key sizes higher.
# sslFipsState <Off | Level1 | Level2 | Level3> # # Default Value: Off # # Description: # The sslFipsState option specifies the FIPS state for the LDAP server. # When FIPS mode turned on, it is more restrictive with respect to # cryptographic algorithms, protocols and key sizes that can be supported. # # Examples: # sslFipsState Off # sslFipsState Level1 # sslFipsState Level2 # sslFipsState Level3 # #---------------------------------------------------------------------- sslFipsState Level3 Dave Jousma Vice President | Director, Technology Engineering From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of James McGinley <mcgin...@optonline.net> Date: Friday, May 24, 2024 at 7:37 AM To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU> Subject: IBM LDAP 4.4 Weak Key Exchange Vulnerability Issue GM, Has anyone had issues remediating IBM LDAP 4. 4 "Weak Key Exchange" vulnerability on their secure port? Attempting to provide Cipher combos in slapd. env with no success. sslCipherSpecs GSK_V3_CIPHER_SPECS_EXPANDED=00380039 or sslCipherSpecs GM, Has anyone had issues remediating IBM LDAP 4.4 "Weak Key Exchange" vulnerability on their secure port? Attempting to provide Cipher combos in slapd.env with no success. sslCipherSpecs GSK_V3_CIPHER_SPECS_EXPANDED=00380039 or sslCipherSpecs GSK_V3_CIPHER_SPECS_EXPANDED=C027C028 In CA LDAP by setting TLS key size to 2K the vulnerability is remediated. There are no such TLS statements in IBM LDAP: TLSDhMinKeySize 2048 TLSDsaMinKeySize 2048 TLSEccMinKeySize 194 TLSRsaMinKeySize 2048 Regards, Jamie McGinley - BNY Mainframe Support ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN