IBM webMethods Hybrid Integration

IBM webMethods Hybrid Integration

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  MWS 9.5 DirectoryService JSSE/TLSv1.2 configuration

    Posted Mon June 17, 2019 07:48 AM

    Hi,

    we are currently encountering the following issue in our environments:
    Our Partner hosting the LDAP-based directoryservice we are using for SSO authorization disabled TLSv1.0 and TLSv1.1 for security reasons.

    We are currently running webMethods 9.5 SP1 with Fixes using Java 7 on these environments.

    Is there any way to tell the directory service configuration in MWS, that it should JSSE for LDAPS connection as we currently cannot turn the old TLS versions for backward compatibility reasons?
    Looks lik it is using Entrust/IAIK by default, which only allows for TLS v1.0.

    Regards,
    Holger


    #webMethods-BPMS
    #webMethods
    #MWS-CAF-Task-Engine


  • 2.  RE: MWS 9.5 DirectoryService JSSE/TLSv1.2 configuration

    Posted Fri June 21, 2019 04:58 AM

    I don’t have v9.5, so I tried to reproduce your issue on my v9.9. But I could not reproduce it, and it’s working fine on my local.
    I setup an Apache DS with TLS 1.2 enabled only, and configure it as a directory service on MWS through LDAPS, and I’m able to query users on Apache DS.
    So what specific error message did you see?


    #MWS-CAF-Task-Engine
    #webMethods
    #webMethods-BPMS


  • 3.  RE: MWS 9.5 DirectoryService JSSE/TLSv1.2 configuration

    Posted Sun June 23, 2019 09:18 AM

    Hi,

    Please check, but I’m under the impression 9.5 does not support TLS 1.2.

    Best regards,


    #MWS-CAF-Task-Engine
    #webMethods-BPMS
    #webMethods


  • 4.  RE: MWS 9.5 DirectoryService JSSE/TLSv1.2 configuration

    Posted Fri July 05, 2019 02:28 PM

    Hi Gerardo,

    generally webMethods 9.5 should be able to use TLS v1.2 as it is running on Java 7.
    At least after applying the Fix for the Poodle issue and we have currently a newer Fix installed.

    Unfortunately I did not find any setting to restrict the TLS version for LDAP directory service in MWS, as I do not want to disable TLS v1.0 and TLS v1.1 completely at the moment. This might be done later on.

    I have already openend an incident with SAG in parallel to get this investigated officially.

    We are preparing a Migration to wM 9.12 where it seems to work with TLS v1.2 so far as I can enable the directory service there.

    @Xiaowei:
    Here is the StackTrace from full.log:

    
Remote host closed connection during handshake (91)
at netscape.ldap.factory.JSSESocketFactory.makeSocket(JSSESocketFactory.java:111)
at netscape.ldap.LDAPConnSetupMgr.connectServer(LDAPConnSetupMgr.java:509)
at netscape.ldap.LDAPConnSetupMgr.openSerial(LDAPConnSetupMgr.java:435)
at netscape.ldap.LDAPConnSetupMgr.connect(LDAPConnSetupMgr.java:274)
at netscape.ldap.LDAPConnSetupMgr.access$000(LDAPConnSetupMgr.java:44)
at netscape.ldap.LDAPConnSetupMgr$1.run(LDAPConnSetupMgr.java:208)
at java.lang.Thread.run(Thread.java:724)

    Regards,
    Holger


    #webMethods
    #webMethods-BPMS
    #MWS-CAF-Task-Engine


Related Content