10 Securing MyID with TLS 1.2 and TLS 1.3

The MyID application server communicates with the MyID database over OLE DB, and this communication is secured by TLS. You are recommended to set up your system to use TLS 1.2 or TLS 1.3; this involves configuring the MyID servers to ensure that they can use TLS 1.2 or TLS 1.3, and configuring the MyID web servers to disable SSL and earlier versions of TLS.

10.1 Risks

Over time, the SSL/TLS protocols have evolved. It is possible that security risks may be found in older versions. The latest version of TLS supported in Microsoft Windows is TLS 1.3, but not all operating systems and other software support this level.

10.2 Solution

Enable TLS 1.2 or TLS 1.3 on your servers, and disable versions of TLS older than TLS 1.2.

For considerations regarding disabling older versions, see section 10.3.1, Disabling earlier versions of SSL/TLS

10.3 Implementation

To update the registry to enable .NET 4.0 components to make TLS 1.2 connections:

1. On the MyID servers hosting the web services, open the registry editor.

2. Locate the following keys:

   HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319

   and

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319

3. In each, set or create a DWORD SchUseStrongCrypto and set the value to 1.

The procedure above configures MyID .NET components to allow the use of TLS 1.2. This means that your MyID system will continue to operate when you have disabled TLS versions lower than TLS 1.2. For more information about SSL/TLS, see section 7, Website Security.

If you are using SSRP and want to use TLS 1.3, you must carry out additional configuration. See the Using TLS 1.3 section in the Derived Credentials Self-Service Request Portal guide.

10.3.1 Disabling earlier versions of SSL/TLS

For information about disabling SSL/TLS, see your Microsoft documentation.

Important: Support for TLS 1.3 is variable across different software products and operating system features – it is essential that you plan full end-to-end regression testing of the entire infrastructure in the desired configuration before deploying to production environments. Because of this, support provided by Intercede may be limited and provided on a best-endeavors basis. In particular, consider the following:

• If you have servers running Windows Server 2019, or clients using Windows 10 or earlier, you must continue to use TLS 1.2. These operating systems do not support TLS 1.3.

• If you have external systems that require TLS 1.2, you must not disable TLS 1.2.

• You must consult the vendors or manufacturers of any third-party products to ensure that they support TLS 1.3-only environments before disabling TLS 1.2.

• Microsoft SQL Server and SQL Azure databases continue to use TLS 1.2 to start SQL Server satellite services. Do not disable TLS 1.2 on your database servers.

  This is a Microsoft limitation. For more information, see:

  learn.microsoft.com/en-us/sql/relational-databases/security/networking/tls-1-3?view=sql-server-ver16

• Before disabling TLS 1.2 on any server, ensure that this does not affect remote access through remote desktop connections.

• If you configure a server for TLS 1.3 only, you may see some Microsoft SSPI processes recording errors in the system event log. These do not affect the operation of MyID.

In general, you are recommended to enable TLS 1.2 and TLS 1.3 on your servers, and disable versions of TLS earlier than TLS 1.2.

For further guidance on using MyID in environments where TLS 1.3 only is to be used, contact Intercede customer support quoting SUP-394.

Note: If you are using certificate authorities that use a Java-based connector (for example, UniCERT UPI or Entrust) you must configure your Java client to use the same versions of SSL/TLS as the rest of your MyID system. For example, if you have configured IIS to disable any SSL/TLS versions below TLS 1.2, you must use the Java Control Panel > Advanced tab > Advanced Security Settings section to disable all SSL/TLS versions below TLS 1.2.

Important: For pre-MyID 11.0 versions, if you install any MyID patches on your system, you may experience problems with the installer being unable to communicate with the database if you do not re-enable TLS 1.0 – older patch installers use the previous OLE DB driver that requires TLS 1.0. After installing the patch, you can disable TLS 1.0 again.