Product Documentation

Configuring Diffie-Hellman (DH) Parameters

Sep 01, 2016

If you are using ciphers on the NetScaler that require a DH key exchange to set up the SSL transaction, enable DH key exchange on the NetScaler and configure other settings based on your network.

To list the ciphers for which DH parameters must be set by using the NetScaler command line, type: sh cipher DH.

To list the ciphers for which DH parameters must be set by using the configuration utility, navigate to Traffic Management > SSL > Cipher Groups, and double-click DH.

For details on how to enable DH key exchange, see Generating a Diffie-Hellman (DH) Key.

To configure DH Parameters by using the command line interface

At the command prompt, type the following commands to configure DH parameters and verify the configuration:

  • set ssl vserver <vserverName> -dh <Option> -dhCount <RefreshCountValue> -filepath <string>
  • show ssl vserver <vServerName>

Example

 
> set ssl vserver vs-server -dh ENABLED  -dhFile /nsconfig/ssl/ns-server.cert -dhCount 1000 
  Done 
> show ssl vserver vs-server 
 
        Advanced SSL configuration for VServer vs-server: 
        DH: ENABLED 
        Ephemeral RSA: ENABLED          Refresh Count: 1000 
        Session Reuse: ENABLED          Timeout: 120 seconds 
        Cipher Redirect: DISABLED 
        SSLv2 Redirect: DISABLED 
        ClearText Port: 0 
        Client Auth: DISABLED 
        SSL Redirect: DISABLED 
        Non FIPS Ciphers: DISABLED 
        SSLv2: DISABLED SSLv3: ENABLED  TLSv1: ENABLED 
 
1)      Cipher Name: DEFAULT 
        Description: Predefined Cipher Alias 
 Done

To configure DH Parameters by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers, and open a virtual server.
  2. In the SSL Parameters section, select Enable DH Param, and specify a refresh count and file path.