Yes. In ds.conf set the FIPS state. LDAP automagically sets the key sizes
higher.
# sslFipsState <Off | Level1 | Level2 | Level3>
#
# Default Value: Off
#
# Description:
# The sslFipsState option specifies the FIPS state for the LDAP server.
# When FIPS mode turned on, it is more restrictive with respect to
# cryptographic algorithms, protocols and key sizes that can be supported.
#
# Examples:
# sslFipsState Off
# sslFipsState Level1
# sslFipsState Level2
# sslFipsState Level3
#
#----------------------------------------------------------------------
sslFipsState Level3
Dave Jousma
Vice President | Director, Technology Engineering
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of
James McGinley <mcgin...@optonline.net>
Date: Friday, May 24, 2024 at 7:37 AM
To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU>
Subject: IBM LDAP 4.4 Weak Key Exchange Vulnerability Issue
GM, Has anyone had issues remediating IBM LDAP 4. 4 "Weak Key Exchange"
vulnerability on their secure port? Attempting to provide Cipher combos in
slapd. env with no success. sslCipherSpecs
GSK_V3_CIPHER_SPECS_EXPANDED=00380039 or sslCipherSpecs
GM,
Has anyone had issues remediating IBM LDAP 4.4 "Weak Key Exchange"
vulnerability on their secure port?
Attempting to provide Cipher combos in slapd.env with no success.
sslCipherSpecs GSK_V3_CIPHER_SPECS_EXPANDED=00380039
or
sslCipherSpecs GSK_V3_CIPHER_SPECS_EXPANDED=C027C028
In CA LDAP by setting TLS key size to 2K the vulnerability is remediated. There
are no such TLS statements in IBM LDAP:
TLSDhMinKeySize 2048
TLSDsaMinKeySize 2048
TLSEccMinKeySize 194
TLSRsaMinKeySize 2048
Regards,
Jamie McGinley - BNY Mainframe Support
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
This e-mail transmission contains information that is confidential and may be
privileged. It is intended only for the addressee(s) named above. If you
receive this e-mail in error, please do not read, copy or disseminate it in any
manner. If you are not the intended recipient, any disclosure, copying,
distribution or use of the contents of this information is prohibited. Please
reply to the message immediately by informing the sender that the message was
misdirected. After replying, please erase it from your computer system. Your
assistance in correcting this error is appreciated.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
