SSL renegotiation is the process of establishing a new SSL handshake over an existing SSL connection. SSL renegotiation can be initiated either by the SSL client or the SSL server. Initiating an SSL renegotiation on the client or the server requires different set of APIs. The renegotiation messages (ciphers and encryption keys) are encrypted and then sent over the existing SSL connection to establish another session securely and is useful in the following scenarios:
When you require a client authentication.
When you require a different set of encryption and decryption keys.
When you require a different set of encryption and hashing algorithms.
SSL renegotiation is enabled or disabled by the following parameter: "sun.security.ssl.allowUnsafeRenegotiation.
NOTE:By default, this parameter is disabled.
This is defined in a configuration file.
You can verify whether Identity Server, Access Gateway and Administration Console support secure renegotiation by using the following command:
openssl s_client -connect <IP address of the Access Manager component:port>
Port can either be 8443 or 443 based on the Access Gateway configuration.
To enable the SSL renegotiation on SLES 11 SP2 and SP3, perform the following steps:
add the parameter JAVA_OPTS="${JAVA_OPTS} -Dsun.security.ssl.allowUnsafeRenegotiation=true in tomcat.conf (tomcat8.conf) if the parameter does not exist.
To disable the SSL renegotiation on SLES 11 SP2 and SP3, add the parameter JAVA_OPTS="${JAVA_OPTS} -Dsun.security.ssl.allowUnsafeRenegotiation=false in tomcat.conf (tomcat8.conf) if the parameter does not exist.
For information about how to edit a file, see Modifying Configurations.