I have raised a PMR for this but I was wondering if anyone else has struck this issue.

We have a few old ISAM 9.0.0 appliances that are running the internal openldap runtime component and when I attempt to connect to it using different TLS ciphers it only seems to support TLS 1.0 (not 1.1 or 1.2).

Then when we upgrade the appliances to 9.0.5 the appliance disabled TLS 1.0 and only supports TLS 1.1 and TLS1.2.

We have reconfigured the ldap.conf, pd.conf and ivmgrd.conf for good measure enabling TLS 1.0, 1.1 and 1.2 in all three (tls-v10-enable, tls-v11-enable and tls-v12-enable = yes), but it doesn't seem to apply when connecting in remotely to the openldap runtime.

I couldn't see anywhere else that we could change these settings, but there just doesn't seem to be a way to enable TLS 1.1/1.2 on 9.0.0 and enabling TLS 1.0 on 9.0.5.

Any suggestions?

------------------------------
Peter Lambrechtsen
------------------------------

And I have found this note in 9.0.3.1 saying that TLS 1.1 and 1.2 isn't supported.

https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.3.1/com.ibm.isam.doc/admin/concept/con_manage_ldap_server.html

So somewhere after 9.0.3.1 TLS 1.1+1.2 was added, and TLS 1.0 was disabled in 9.0.5.0

Is there any Advanced Tuning Parameters like "wga.rte.embedded.ldap.ssl.port" that can tweak what TLS Protocols are supported?

------------------------------
Peter Lambrechtsen
------------------------------

Original Message:
Sent: 01-17-2019 06:47 PM
From: Peter Lambrechtsen
Subject: Embedded runtime openldap TLS1 vs TLS1.1 vs TLS1.2

I have raised a PMR for this but I was wondering if anyone else has struck this issue.

We have a few old ISAM 9.0.0 appliances that are running the internal openldap runtime component and when I attempt to connect to it using different TLS ciphers it only seems to support TLS 1.0 (not 1.1 or 1.2).

Then when we upgrade the appliances to 9.0.5 the appliance disabled TLS 1.0 and only supports TLS 1.1 and TLS1.2.

We have reconfigured the ldap.conf, pd.conf and ivmgrd.conf for good measure enabling TLS 1.0, 1.1 and 1.2 in all three (tls-v10-enable, tls-v11-enable and tls-v12-enable = yes), but it doesn't seem to apply when connecting in remotely to the openldap runtime.

I couldn't see anywhere else that we could change these settings, but there just doesn't seem to be a way to enable TLS 1.1/1.2 on 9.0.0 and enabling TLS 1.0 on 9.0.5.

Any suggestions?

------------------------------
Peter Lambrechtsen
------------------------------

Hi Peter,

Up until 9.0.5.0 only TLS 1.0 is supported due to a limitation with the embedded OpenLDAP.
There is no way to enabled 1.1/1.2.


------------------------------
Nick
IBM Level II Support
------------------------------

Original Message:
Sent: 01-17-2019 07:32 PM
From: Peter Lambrechtsen
Subject: Embedded runtime openldap TLS1 vs TLS1.1 vs TLS1.2

And I have found this note in 9.0.3.1 saying that TLS 1.1 and 1.2 isn't supported.

https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.3.1/com.ibm.isam.doc/admin/concept/con_manage_ldap_server.html

So somewhere after 9.0.3.1 TLS 1.1+1.2 was added, and TLS 1.0 was disabled in 9.0.5.0

Is there any Advanced Tuning Parameters like "wga.rte.embedded.ldap.ssl.port" that can tweak what TLS Protocols are supported?

------------------------------
Peter Lambrechtsen

Original Message:
Sent: 01-17-2019 06:47 PM
From: Peter Lambrechtsen
Subject: Embedded runtime openldap TLS1 vs TLS1.1 vs TLS1.2

I have raised a PMR for this but I was wondering if anyone else has struck this issue.

We have a few old ISAM 9.0.0 appliances that are running the internal openldap runtime component and when I attempt to connect to it using different TLS ciphers it only seems to support TLS 1.0 (not 1.1 or 1.2).

Then when we upgrade the appliances to 9.0.5 the appliance disabled TLS 1.0 and only supports TLS 1.1 and TLS1.2.

We have reconfigured the ldap.conf, pd.conf and ivmgrd.conf for good measure enabling TLS 1.0, 1.1 and 1.2 in all three (tls-v10-enable, tls-v11-enable and tls-v12-enable = yes), but it doesn't seem to apply when connecting in remotely to the openldap runtime.

I couldn't see anywhere else that we could change these settings, but there just doesn't seem to be a way to enable TLS 1.1/1.2 on 9.0.0 and enabling TLS 1.0 on 9.0.5.

Any suggestions?

------------------------------
Peter Lambrechtsen
------------------------------

Peter,

In later versions of OpenLDAP (not just the embedded ISAM version) TLS v1.0 is disabled by default.  If you want to enable TSL v1.0 in v9050 of the appliance you can set the following advanced tuning parameter: "wga_rte.embedded.ldap.enable.sslv3 = true".  This won't actually enable SSLv3 (as the name would suggest), but will enable TSL v1.0.  I just tested this in my environment and it did the job,

I hope that this helps,

Scott.

------------------------------
Scott Exton
IBM
Gold Coast
------------------------------

Original Message:
Sent: 01-17-2019 07:32 PM
From: Peter Lambrechtsen
Subject: Embedded runtime openldap TLS1 vs TLS1.1 vs TLS1.2

And I have found this note in 9.0.3.1 saying that TLS 1.1 and 1.2 isn't supported.

https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.3.1/com.ibm.isam.doc/admin/concept/con_manage_ldap_server.html

So somewhere after 9.0.3.1 TLS 1.1+1.2 was added, and TLS 1.0 was disabled in 9.0.5.0

Is there any Advanced Tuning Parameters like "wga.rte.embedded.ldap.ssl.port" that can tweak what TLS Protocols are supported?

------------------------------
Peter Lambrechtsen

Original Message:
Sent: 01-17-2019 06:47 PM
From: Peter Lambrechtsen
Subject: Embedded runtime openldap TLS1 vs TLS1.1 vs TLS1.2

I have raised a PMR for this but I was wondering if anyone else has struck this issue.

We have a few old ISAM 9.0.0 appliances that are running the internal openldap runtime component and when I attempt to connect to it using different TLS ciphers it only seems to support TLS 1.0 (not 1.1 or 1.2).

Then when we upgrade the appliances to 9.0.5 the appliance disabled TLS 1.0 and only supports TLS 1.1 and TLS1.2.

We have reconfigured the ldap.conf, pd.conf and ivmgrd.conf for good measure enabling TLS 1.0, 1.1 and 1.2 in all three (tls-v10-enable, tls-v11-enable and tls-v12-enable = yes), but it doesn't seem to apply when connecting in remotely to the openldap runtime.

I couldn't see anywhere else that we could change these settings, but there just doesn't seem to be a way to enable TLS 1.1/1.2 on 9.0.0 and enabling TLS 1.0 on 9.0.5.

Any suggestions?

------------------------------
Peter Lambrechtsen
------------------------------