10 Securing MyID with TLS 1.2

The MyID application server communicates with the MyID database over OLE DB, and this communication is secured by TLS. You are recommended to set up your system to use TLS 1.2; this involves configuring the MyID application servers to ensure that they can use TLS 1.2, and configuring the MyID web servers to disable SSL and versions of TLS earlier than TLS 1.2.

10.1 Risks

Over time, the SSL/TLS protocols have evolved. It is possible that security risks may be found in older versions. The latest version of TLS supported in Microsoft Windows is TLS 1.2, which is not currently supported by MyID without further configuration.

10.2 Solution

Configure the MyID application servers to ensure that they are capable of communicating using TLS 1.2, and configure the web servers to allow them to disable SSL and versions of TLS earlier than TLS 1.2, thereby forcing clients to use TLS 1.2.

10.3 Implementation

To update the registry to enable .NET 4.0 components to make TLS 1.2 connections:

  1. On the MyID servers hosting the web services, open the registry editor.

    . In each of the following keys:

  2. Locate the following keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319

    and

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319

  3. In each, set or create a DWORD SchUseStrongCrypto and set the value to 1.

The procedure above configures MyID to allow the use of TLS 1.2. This means that your MyID system will continue to operate when you have disabled TLS versions lower than TLS 1.2. For more information about SSL/TLS, see section 7, Web Site Security.

10.3.1 Disabling earlier versions of SSL/TLS

For information about disabling SSL/TLS, see your Microsoft documentation.

Note: If you are using certificate authorities that use a Java-based connector (for example, UniCERT UPI or Entrust) you must configure your Java client to use the same versions of SSL/TLS as the rest of your MyID system. For example, if you have configured IIS to disable any SSL/TLS versions below TLS 1.2, you must use the Java Control Panel > Advanced tab > Advanced Security Settings section to disable all SSL/TLS versions below TLS 1.2.

Important: For pre-MyID 11.0 versions, if you install any MyID patches on your system, you may experience problems with the installer being unable to communicate with the database if you do not re-enable TLS 1.0 – older patch installers use the previous OLE DB driver that requires TLS 1.0. After installing the patch, you can disable TLS 1.0 again.

Note: If you experience any problems on the database screen of MyID installation programs, update your SQL Server Native Client – earlier versions of the SQL Native Client may not have full support for TLS 1.2. MyID installers that support TLS 1.2 have been tested with SQL Server Native Client version 11.0.70001.0.