10 Securing MyID with TLS 1.2

The MyID application server communicates with the MyID database over OLE DB, and this communication is secured by TLS. You are recommended to set up your system to use TLS 1.2; this involves configuring the MyID application servers to ensure that they can use TLS 1.2, and configuring the MyID web servers to disable SSL and versions of TLS earlier than TLS 1.2.

10.1 Risks

Over time, the SSL/TLS protocols have evolved. It is possible that security risks may be found in older versions. The latest version of TLS supported in Microsoft Windows is TLS 1.2, which is not currently supported by MyID without further configuration.

10.2 Solution

Configure the MyID application servers to ensure that they are capable of communicating using TLS 1.2, and configure the web servers to allow them to disable SSL and versions of TLS earlier than TLS 1.2, thereby forcing clients to use TLS 1.2.

10.3 Implementation

  1. On the MyID application servers, install the new Microsoft OLE DB Driver 18 for SQL Server (MSOLEDBSQL).

    This driver is available from Microsoft:

    Note: This is a different driver from the old Microsoft OLE DB Provider for SQL Server (SQLOLEDB) and the SQL Server Native Client (SNAC). You must use the MSOLEDBSQL version to support TLS 1.2.

  2. Reboot the application server.

  3. On the MyID application servers, edit each of the MyID UDL files in the Windows System32 folder.

    Note: You will need elevated permissions to edit these UDL files.

    For each MyID UDL file:

    1. Take a note of the details on the Connection tab.

    2. On the Provider tab, change from:

      Microsoft OLE DB Provider for SQL Server

      to:

      Microsoft OLE DB Driver for SQL Server

    3. Click Next, then, on the Connection tab, re-enter the connection details.
    4. Click Test Connection.
    5. If the connection succeeded, click OK to save the settings.

  4. On the MyID servers hosting the web services, update the registry to enable .NET 4.0 components to make TLS 1.2 connections. In each of the following keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319

    and

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319

    set or create a DWORD SchUseStrongCrypto and set the value to 1.

The procedure above configures MyID to allow the use of TLS 1.2. This means that your MyID system will continue to operate when you have disabled TLS versions lower than TLS 1.2. For more information about SSL/TLS, see section 7, Web Site Security.

10.3.1 Disabling earlier versions of SSL/TLS

For information about disabling SSL/TLS, see your Microsoft documentation.

Note: If you are using certificate authorities that use a Java-based connector (for example, UniCERT UPI or Entrust) you must configure your Java client to use the same versions of SSL/TLS as the rest of your MyID system. For example, if you have configured IIS to disable any SSL/TLS versions below TLS 1.2, you must use the Java Control Panel > Advanced tab > Advanced Security Settings section to disable all SSL/TLS versions below TLS 1.2.

Important: For pre-MyID 11.0 versions, if you install any MyID patches on your system, you may experience problems with the installer being unable to communicate with the database if you do not re-enable TLS 1.0 – older patch installers use the previous OLE DB driver that requires TLS 1.0. After installing the patch, you can disable TLS 1.0 again.

Note: If you experience any problems on the database screen of MyID installation programs, update your SQL Server Native Client – earlier versions of the SQL Native Client may not have full support for TLS 1.2. MyID installers that support TLS 1.2 have been tested with SQL Server Native Client version 11.0.70001.0.