To specify a local acceptance policy on an individual Connection Server instance or security server, you must add properties to the locked.properties file. If the locked.properties file does not yet exist on the server, you must create it.
You add a secureProtocols.n entry for each security protocol that you want to configure. Use the following syntax: secureProtocols.n=security protocol.
You add an enabledCipherSuite.n entry for each cipher suite that you want to configure. Use the following syntax: enabledCipherSuite.n=cipher suite.
The variable n is an integer that you add sequentially (1, 2, 3) to each type of entry.
You add an honorClientOrder entry to control the precedence of cipher suites. Normally, the server's ordering of cipher suites is unimportant and the client's ordering is used. To use the server's ordering of cipher suites instead, use the following syntax:
honorClientOrder=false
Make sure that the entries in the locked.properties file have the correct syntax and the names of the cipher suites and security protocols are spelled correctly. Any errors in the file can cause the negotiation between the client and server to fail.
Procedure
Example: Default Acceptance Policies on an Individual Server
The following example shows the entries in the locked.properties file that are needed to specify the default policies:
# The following list should be ordered with the latest protocol first: secureProtocols.1=TLSv1.2 secureProtocols.2=TLSv1.1 # This setting must be the latest protocol given in the list above: preferredSecureProtocol=TLSv1.2 # The order of the following list is unimportant unless honorClientOrder is false: enabledCipherSuite.1=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 enabledCipherSuite.2=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabledCipherSuite.3=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 enabledCipherSuite.4=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA # Use the client's ordering of cipher suites (ignores the ordering given above): honorClientOrder=true
