IBM Support

Setting the SSL_TIMEOUT_MILLISEC environment variable

Question & Answer


Question

How to configure the timeout of the SSL handshake transaction by using the SSL_TIMEOUT_MILLISEC environment variable?

Cause

1. Network latency between the client and server systems.
2. The system capabilities under load to process initial SSL handshake on both client and server side.

Answer

In ITDS 5.2 Fixpack 4 and later, the environment parameter SSL_TIMEOUT_MILLISEC was introduced so that the value for the timeout of the SSL handshake transaction is configurable. This parameter is defined in the cn=Front End entry of the ibmslapd.conf file. This allows the user to configure longer timeouts before SSL connections are closed.

The SSL_TIMEOUT_MILLISEC represents a positive number of milliseconds to retry an SSL handshake. Possible ways to set this:

If SSL_TIMEOUT_MILLISEC is not set in the ibmslapd.conf, the value defaults to 1000 millisecs (1 sec). This is an appropriate timeout for environments in which all the packets are traveling over local LANs. Longer timeouts should be chosen in networking environments with any latency or any possible networking problems. The system capabilities under load to crunch the tedious encryption algorithms

When setting SSL_TIMEOUT_MILLISEC in the ibmslapd.conf file, the possible values are:

1 to 2147483647: 0.001 to 2,147,483.647 seconds (~24.86 days)



If this variable is set to 0, then there is no timeout (it's unlimited).

This variable can be used in cases where errors like the following:

01/01/01 01:15:11 PM The underlying socket was closed.
01/01/01 01:15:11 PM SSL handshake from 10.11.12.13 failed. Connection denied.

are showing up in the ibmslapd.log sporadically (and the GSKit level and server certificate are believed to be configured correctly).

Here's an example of configuring this variable:

If you wanted to set the SSL time out value to 5000 millisecs (5 seconds), the entry in the ibmslapd.conf would look like:

dn: cn=Front End, cn=Configuration
cn: Front End
ibm-slapdACLCache: TRUE
ibm-slapdACLCacheSize: 25000
ibm-slapdEntryCacheSize: 25000
ibm-slapdFilterCacheBypassLimit: 100
ibm-slapdFilterCacheSize: 25000
ibm-slapdIdleTimeOut: 300
ibm-slapdSetenv: SSL_TIMEOUT_MILLISEC=5000
objectclass: top
objectclass: ibm-slapdConfigEntry
objectclass: ibm-SlapdFrontEnd

To modify this using an ldif file, do the following:

1. Create an ldif file that looks like:

-----------ssl.ldif---------------

dn: cn=Front End, cn=Configuration


changetype: modify
add: ibm-slapdSetEnv
ibm-slapdSetenv: SSL_TIMEOUT_MILLISEC=5000
----------------------------------

2. Apply the ldif file:

idsldapmodify -D cn=root -w ? -i ss.ldif

3. Adding an ibm-slapdSetEnv parameter requires a server restart.:

[{"Product":{"code":"SSVJJU","label":"IBM Security Directory Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.2;6.0;6.1;6.2;6.3;6.3.1;6.4;8.0;8.0.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21233758

Page Feedback