Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communications security over a computer network.
SSL is now deprecated and replaced by TLS. The initial version, TLS 1.0, is now no longer recommended for use under some security policies, but certain Microsoft components used by MyID still require the use of TLS 1.0.
1 How is TLS used by MyID?
MyID uses Microsoft components that have dependencies on TLS, including:
Microsoft OLEDB driver
Microsoft .net framework
These components use TLS to protect
Access to web pages and web services that are part of the MyID architecture, including those that support MyID user interfaces
API interfaces from MyID to certificate authorities
APIs to MyID and notifications sent from MyID to other systems
Connections to a directory using Secure LDAP (LDAPS)
2 What is the impact of disabling TLS 1.0?
Disabling TLS 1.0 may cause the MyID system to become non-functional, unless specific steps are taken.
MyID Web Services (Microsoft .net framework) – Impact: MyID Desktop, Self Service App, Self Service Kiosk, Identity Agent depend on the Web Services API
3 Are there any workarounds?
Following release of an updated Microsoft OLEDB driver, a workaround has been established to allow MyID to continue operating when TLS 1.0 is disabled.
Most components of MyID that depend on Microsoft .net framework have now been updated to operate when TLS 1.0 is disabled. However existing installations of MyID may not have the required component versions to support this.
Versions of MyID from MyID v11.0 onwards have removed dependencies on TLS 1.0.
4 Guidance for customers using MyID v10
If you need further guidance on the information provided below, contact Intercede quoting reference SUP-287.
If you need to disable TLS 1.0 in your environment:
Configure MyID application servers to ensure that they can communicate using TLS 1.2, and configure web servers to allow them to disable SSL and versions of TLS earlier than TLS 1.2, thereby forcing clients to use TLS 1.2.
This will require you to install the Microsoft OLE DB Driver 18 for SQL Server (MSOLEDBSQL)
Most MyID v10.x installation programs, including the main product installation program, are not compatible with TLS 1.2; before running any of these installation programs, you must re-enable TLS 1.0 if it has been disabled on your servers. After completing the installation, you can disable TLS 1.0 again.
Installation programs for updates to MyID v10, created after 10th May 2018, will not require TLS 1.0 to be re-enabled. This will be clearly stated in documentation provided with the installation program.
If you use MyID to post notification messages to external systems, using the ‘URL’ or ‘Web Service’ notification type and your MyID installation version is earlier than 10.8 update 1 (patch level VTEN10.8.1000.6) you will require a further update to your installation. Contact Intercede for more information. Other notification types (Email or SMS for example) are not affected.
If you use Symantec Managed PKI (MPKI) you will require a further update to your installation. Contact Intercede for more information
If your installation uses a version of the following MyID Clients that are older than those listed below, an update will be required.
Desktop Client version DSK-2.2.1000.1
Self Service App version SSP-2.0.1000.1
Self Service Kiosk version SSK-1.9.1000.1
You must carry out sufficient testing of your MyID system and all interfaces from MyID to external systems before deploying these changes for production usage.
5 Guidance for customers using older versions of MyID
Customers using versions of MyID earlier than v10.0 who wish to disable TLS 1.0 should contact Intercede for further details.
Viewing 1 post (of 1 total)
The forum ‘MyID knowledge base’ is closed to new topics and replies.