Environment
NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
NetIQ Access Manager 4.1
Situation
With the default NAM setup, user-agents typically negotiate a TLS/SSL connection to the MAG/IDP with AES_128_CBC with HMAC_SHA1 for messaging and RSA for the key exchange protocol. With this default setup in place, Chrome browsers on Apple IOS 9.0 devices reject any connection to our servers, giving browser warnings that we are using Obsolete cipher suites.
Resolution
The following changes must be performed at the Identity and Access Gateway servers:
1) Identity Server
Change the the ciphers section of the IDP server.xml file (/opt/novell/nam/idp/conf/server.xml) to ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256"
1) Identity Server
Change the the ciphers section of the IDP server.xml file (/opt/novell/nam/idp/conf/server.xml) to ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256"
and change sslProtocol="TLSv1.2"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
With these changes, IOS works and chrome
no longer warns of a obsolete cipher.
2) For the Access Gateway, add the following Advanced Options:
# disable weak ciphers
SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:ALL:!EDH:
# Only allow TLS protocol version 1.0, 1.1 and 1.2
SSLProtocol -SSLV3 -SSLV2 +TLSv1.2 +TLSv1.1 +TLSv1
# enable PFS using above cipher list with SSLHonorCipherOrder
SSLHonorCipherOrder on