7.1 MyID web site

On production environments you must use TLS on your MyID web site.

7.1.1 Risks

Traffic sent to and from the MyID web site may be vulnerable to interception. MyID encrypts some sensitive data, but for full protection you must use SSL/TLS.

IIS provides the SSL/TLS transport layer security that is used by the MyID application. Over time there have been many versions of the SSL/TLS protocols, and many cipher suites available within each protocol. This allows web servers to be flexible and support a wide range of clients – when a client connects, a mutually supported SSL/TLS protocol version is agreed and a mutually supported cipher suite agreed as part of the initial handshake.

Some of these SSL/TLS protocols and cipher suites supported by IIS are stronger than others. The exact version of the protocol and cipher suites that are intended to be supported for a given installation of MyID depend on which clients must be supported.

IIS allows selected versions of the SSL/TLS protocol and cipher suites to be disabled – this configuration guarantees that older/weaker versions of the protocol/cipher-suite cannot be used. For more information, see section 10, Securing MyID with TLS 1.2.

7.1.2 Solution

Implement SSL on your MyID web site.

Review which SSL/TLS protocols and cipher suites are intended for use by the deployment, and disable unwanted SSL/TLS protocols and cipher suites.

Since MyID version 10.0, additional web services are installed that are intended to be accessed by end clients (for example, desktop PCs, mobile phones, and so on).

The following client web services are installed by MyID 10.0 or later:

• MyIDProcessDriver
• MyIDDataSource

Additionally, to provide backwards compatibility with older devices, older versions of these web services may be installed. These exist in version-numbered subfolders of the MyIDDataSource and MyIDProcessDriver web services.

The following IIS screenshot shows the MyID virtual directory, and also the MyIDDataSource and MyIDProcessDriver web services both under the default website.

IIS must be configured so that each of these folders requires SSL. While it is possible to configure this for each individual virtual directory, it is more efficient to configure the SSL requirements at the Default Web Site level, which means that this setting will be inherited by all virtual directories underneath.

The rest.core and web.oauth2 web services (used for the MyID Operator Client) are present from MyID 11.6 onwards. These use OAuth2 (rfc6749) which mandates the use of TLS. Therefore these components are configured out of the box to require TLS. For these to function, you must set up IIS with a TLS certificate.

If it is necessary to use rest.core and web.oauth2 without TLS (for example, in a developer environment) additional configuration of rest.core and web.oauth2 is required to allow them to function without TLS.

7.1.3 Implementation

See your IIS documentation for details of setting up SSL. For example, in IIS 7 or IIS 8, you must:

1. Obtain an appropriate certificate.
2. Create an HTTPS binding for the web site using this certificate.
3. Set the SSL Settings > Require SSL option for the Default Web Site.

The disabling of SSL/TLS protocols and cipher suites is an IIS configuration (not part of the MyID application itself). For more information, see your Microsoft documentation.

7.1.4 Recommendations

Set up SSL on your web server, and require SSL on your IIS website hosting MyID.