OverviewThe DS License Server uses https for communications. https is based on http and adds a security layer. This security is implemented by various protocols and cipher suites. From time to time, certain weaknesses may be found on a given protocol or a given cipher suite. Depending on the type of the security exposure discovered, the consequences can be unpleasant when communicating on the Internet. DS license servers are not on the Internet, but on the LAN of the company. So they are not vulnerable to attacks exploiting the security issues. However, some companies use tools for reporting security vulnerabilities on all computers of their network. These tools can then identify the computer hosting a DS License Server as unsecure, even if this is not the case. To obtain a clean report for these tools, a dynamic solution allows you to remove the protocols and cipher suites considered as unsecure, by providing the ability to restrict the list of protocols and to set the list of cipher suites that can be used in DS License Server communications. When running a failover cluster, each member can start with its own protocols and cipher suites. To ensure that the three members use the same protocols and cipher suites, the same modifications must be applied on the three members. If an administrator removes a protocol and/or a cipher suite, it is possible that an older licensing client may be unable to communicate with the license server. This can happen if none of the allowed protocols and cipher suites are enabled on the licensing client. Supported ProtocolsThe DS License Server currently supports the following protocols:
You can remove the support for one
or several protocols by adding a parameter when starting the
license server: - Cipher SuitesThe DS License Server supports a lot of cipher suites. This list can be found in the following file under the license server installation path: install_path/startup/DSLSJRE/CipherSuites.txt Each line not beginning with a # character is an allowed cipher suite. Each line beginning with a # character is a supported cipher suite, but not allowed. If the content of this file is not appropriate in the company context, it can be copied in any folder and modified to match what is desired. Adding a leading # character removes the cipher suite from the list of allowed suites. Removing a leading # character adds the cipher suite to the allowed list. If an unsupported cipher suite (in other words, not already present in the delivered file) is added to the file, it will be ignored. When starting the DS License Server, the path
of this customized file can be specified by using the The delivered cipher suites file is installed every time the license server is installed. It is the responsibility of the license server administrator to check whether the customized file needs to be updated or not. Unlimited Strength Cipher SuitesWe recommend that you do not use an "unlimited strength" cipher suite: they decrease performance and do not provide more security in the context of the DS License Server. An example of such a cipher suite is a cipher suite based on AES 256 bits. | |||||||