Forums MyID knowledge base MY0419 Dependencies on TLS 1.0 in MyID and Disabling

  • This topic is empty.
Viewing 1 post (of 1 total)
  • Author
    Posts
  • #3503
    MyID SupportMyID Support
    Keymaster

    Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communications security over a computer network.

    SSL is now deprecated and replaced by TLS. The initial version, TLS 1.0, is now no longer recommended for use under some security policies, but certain Microsoft components used by MyID still require the use of TLS 1.0.

    1 How is TLS used by MyID?

    MyID uses Microsoft components that have dependencies on TLS, including:

        • Microsoft OLEDB driver
        • Microsoft .net framework

    These components use TLS to protect

        • Access to web pages and web services that are part of the MyID architecture, including those that support MyID user interfaces
        • API interfaces from MyID to certificate authorities
        • APIs to MyID and notifications sent from MyID to other systems
        • Database communications
        • Connections to a directory using Secure LDAP (LDAPS)

    2 What is the impact of disabling TLS 1.0?

    Disabling TLS 1.0 may cause the MyID system to become non-functional, unless specific steps are taken.

    Impacted areas are:

        • Database communications (Microsoft OLEDB driver) – Impact: MyID Product and Patch installers, MyID Application Servers
        • MyID Web Services (Microsoft .net framework) – Impact: MyID Desktop, Self Service App, Self Service Kiosk, Identity Agent depend on the Web Services API

    3 Are there any workarounds?

    Following release of an updated Microsoft OLEDB driver, a workaround has been established to allow MyID to continue operating when TLS 1.0 is disabled.

    Most components of MyID that depend on Microsoft .net framework have now been updated to operate when TLS 1.0 is disabled. However existing installations of MyID may not have the required component versions to support this.

    Versions of MyID from MyID v11.0 onwards have removed dependencies on TLS 1.0.

    4 Guidance for customers using MyID v10

    If you need further guidance on the information provided below, contact Intercede quoting reference SUP-287.

    If you need to disable TLS 1.0 in your environment:

        • Configure MyID application servers to ensure that they can communicate using TLS 1.2, and configure web servers to allow them to disable SSL and versions of TLS earlier than TLS 1.2, thereby forcing clients to use TLS 1.2.
        • This will require you to install the Microsoft OLE DB Driver 18 for SQL Server (MSOLEDBSQL)
        • Detailed information on configuring TLS 1.2 for MyID can be found in the System Security Checklist – Securing MyID with TLS 1.2
        • Most MyID v10.x installation programs, including the main product installation program, are not compatible with TLS 1.2; before running any of these installation programs, you must re-enable TLS 1.0 if it has been disabled on your servers. After completing the installation, you can disable TLS 1.0 again.
        • Installation programs for updates to MyID v10, created after 10th May 2018, will not require TLS 1.0 to be re-enabled. This will be clearly stated in documentation provided with the installation program.
        • If you use MyID to post notification messages to external systems, using the ‘URL’ or ‘Web Service’ notification type and your MyID installation version is earlier than 10.8 update 1 (patch level VTEN10.8.1000.6) you will require a further update to your installation. Contact Intercede for more information. Other notification types (Email or SMS for example) are not affected.
        • If you use Symantec Managed PKI (MPKI) you will require a further update to your installation. Contact Intercede for more information
        • If your installation uses a version of the following MyID Clients that are older than those listed below, an update will be required.
            • Desktop Client version DSK-2.2.1000.1
            • Self Service App version SSP-2.0.1000.1
            • Self Service Kiosk version SSK-1.9.1000.1
        • You must carry out sufficient testing of your MyID system and all interfaces from MyID to external systems before deploying these changes for production usage.

    5 Guidance for customers using older versions of MyID

    Customers using versions of MyID earlier than v10.0 who wish to disable TLS 1.0 should contact Intercede for further details.

Viewing 1 post (of 1 total)
  • The forum ‘MyID knowledge base’ is closed to new topics and replies.