MWS 9.5 DirectoryService JSSE/TLSv1.2 configuration

Holger_von_Thomsen · June 17, 2019, 11:47am

Hi,

we are currently encountering the following issue in our environments:
Our Partner hosting the LDAP-based directoryservice we are using for SSO authorization disabled TLSv1.0 and TLSv1.1 for security reasons.

We are currently running webMethods 9.5 SP1 with Fixes using Java 7 on these environments.

Is there any way to tell the directory service configuration in MWS, that it should JSSE for LDAPS connection as we currently cannot turn the old TLS versions for backward compatibility reasons?
Looks lik it is using Entrust/IAIK by default, which only allows for TLS v1.0.

Regards,
Holger

Xiaowei_Wang · June 21, 2019, 8:58am

I don’t have v9.5, so I tried to reproduce your issue on my v9.9. But I could not reproduce it, and it’s working fine on my local.
I setup an Apache DS with TLS 1.2 enabled only, and configure it as a directory service on MWS through LDAPS, and I’m able to query users on Apache DS.
So what specific error message did you see?

Gerardo_Lisboa · June 23, 2019, 1:17pm

Hi,

Please check, but I’m under the impression 9.5 does not support TLS 1.2.

Best regards,

Holger_von_Thomsen · July 5, 2019, 6:27pm

Hi Gerardo,

generally webMethods 9.5 should be able to use TLS v1.2 as it is running on Java 7.
At least after applying the Fix for the Poodle issue and we have currently a newer Fix installed.

Unfortunately I did not find any setting to restrict the TLS version for LDAP directory service in MWS, as I do not want to disable TLS v1.0 and TLS v1.1 completely at the moment. This might be done later on.

I have already openend an incident with SAG in parallel to get this investigated officially.

We are preparing a Migration to wM 9.12 where it seems to work with TLS v1.2 so far as I can enable the directory service there.

@Xiaowei:
Here is the StackTrace from full.log:


Remote host closed connection during handshake (91)
        at netscape.ldap.factory.JSSESocketFactory.makeSocket(JSSESocketFactory.java:111)
        at netscape.ldap.LDAPConnSetupMgr.connectServer(LDAPConnSetupMgr.java:509)
        at netscape.ldap.LDAPConnSetupMgr.openSerial(LDAPConnSetupMgr.java:435)
        at netscape.ldap.LDAPConnSetupMgr.connect(LDAPConnSetupMgr.java:274)
        at netscape.ldap.LDAPConnSetupMgr.access$000(LDAPConnSetupMgr.java:44)
        at netscape.ldap.LDAPConnSetupMgr$1.run(LDAPConnSetupMgr.java:208)
        at java.lang.Thread.run(Thread.java:724)

Regards,
Holger