UpdateDomainCiphers

Update the Informatica domain to use a new effective list. Modify the whitelist to add cipher suites to the effective list. Modify the blacklist to remove cipher suites from the effective list.

Before you run the command verify that the following requirements are met:

•The domain uses secure communication within the domain or secure connections to web clients.

•The domain is shutdown.

•You are able to run the command on a gateway node in the domain.

The effective list of cipher suites contains the cipher suites that the Informatica domain supports. When you run the UpdateDomainCiphers command, the Informatica domain creates the effective list of cipher suites based on the following lists:

Blacklist

List of cipher suites that you want the Informatica domain to block. When you add a cipher suite to the blacklist, the Informatica domain removes the cipher suite from the effective list. You can add cipher suites that are on the default list to the blacklist.

Default list

List of cipher suites that the Informatica domain supports by default.

Whitelist

List of cipher suites that you want the Informatica domain to support in addition to the default list. When you add a cipher suite to the whitelist, the Informatica domain adds the cipher suite to the effective list. You do not need to add cipher suites that are on the default list to the whitelist.

Consider the following guidelines when you run the UpdateDomainCiphers command:

•When you run the command, you create a new effective that overrides the previous effective list.

•When you run the command and specify a whitelist or blacklist, the new whitelist or blacklist overwrites the previous list.

•The effective list includes the cipher suites in the default list and whitelist and excludes the cipher suites in the blacklist.

•When you run the command and do not specify a white or blacklist, the command creates an effective list that uses the cipher suites in the default list.

•The effective list must contain at least one cipher suite that TLS v1.1 or 1.2 supports.

•The effective list must be a valid cipher suite for Windows, the Java Runtime Environment, and OpenSSL.

For more information about how to create whitelists and blacklists to update the effective list that the Informatica domain uses, see the Informatica Security Guide.

The UpdateDomainCiphers command uses the following syntax:

The following table describes infasetup UpdateDomainCiphers options and arguments:

Option	Argument	Description
-preview -p	true false	Optional. If true, the command displays the effective list of cipher suites that the domain will use. If false, the command updates the cipher suites for the Informatica domain to use the effective list of cipher suites. The default is false.
-cipherWhiteList -cwl	CipherSuiteName01,CiphersuiteName02, ...	Optional. Comma-separated list of cipher suites that you want to add to the effective list. Use the full IANA TLS Cipher Suite Registry name or a regular Java expression. This list overwrites the previous whitelist. Note: The list must contain at least one valid JRE or OpenSSL cipher suite.
-cipherWhiteListFile -cwlf	whitelist_file_location	Optional. Absolute file path and filename of a plain-text file that contains a comma-separated list of cipher suites that you want to add to the effective list. This list overwrites the previous whitelist. Use the full IANA TLS Cipher Suite Registry name or a regular Java expression. Note: The list must contain at least one valid JRE or OpenSSL cipher suite.
-cipherBlackList -cbl	CipherSuiteName01,CiphersuiteName02, ...	Optional. Comma-separated list of cipher suites that you want to remove from the effective list. Use the full IANA TLS Cipher Suite Registry name or a regular Java expression. This list overwrites the previous blacklist. Note: The effective list must contain at least one valid JRE or OpenSSL cipher suite.
-cipherBlackListFile -cblf	blacklist_file_location	Optional. Absolute file path and filename of a plain-text file that contains a comma-separated list of cipher suites that you want to remove from the effective list. Use the full IANA TLS Cipher Suite Registry name or a regular Java expression. This list overwrites the previous. Note: The effective list must contain at least one valid JRE or OpenSSL cipher suite.