Provisioning Directory in our Identity Manager installation is using TLSv1.2 with cipher suites, some of which use Diffie-Hellman prime modulus smaller than 2048 bits:

TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

How can we disable the above  cipher suites in Provisioning Directory?

Release : 14.4, 14.5

In order to disable Diffie-Hellman cipher suites in IM Provisioning Directory (IMPD), you need to modify the impd.dxc file located under:

/opt/CA/Directory/dxserver/config/ssld/ in case of vApp or standalone installation on Linux (default location)

C:\Program Files\CA\Directory\dxserver\config\ssld in case standalone installation on Windows (default location)

The above out of the box file contains this line:

cipher = "HIGH:!SSLv2:!EXP:!aNULL:!eNULL"

You can disable all DHE cipher suites by modifying the above line like this:

cipher = "HIGH:!SSLv2:!EXP:!aNULL:!eNULL:!DHE"

or if you want you may disable specificcipher suites by mentioning all of them, like this:

cipher = "HIGH:!SSLv2:!EXP:!aNULL:!eNULL:!DHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA"

To modify the above file in vApp you need to logon into vApp shell as config user and then switch to dsa user:
su - dsa
and then you can use vi editor to modify the file.

In Linux simply logon as dsa user.

In Windows use Administrator user.

You need to restart all IMPD data DSAs and the router DSA in order for the change to take effect.

IMPD DSAs:

<hostname>-impd-main (port 20394)
<hostname>-impd-co (port 20396)
<hostname>-impd-inc (port 20398)
<hostname>-impd-notify (port 20404)
<hostname>-imps-router (port 20391)