We recommend switching to the latest versions of Edge, Firefox, Chrome or Safari. Using Internet Explorer will result in a loss of website functionality.

Fixing LDAP binds

Comments

10 comments

  • Avatar
    Matthew Kennedy

    Hi Stephanie,

    With Wildfly deployments, LDAP SSL communication is enabled by editing the following two property files :

    <install_home>/config/<jvm>/userinfo.directory.properties
    <install_home>/config/<jvm>/security.directory.properties

    If this is an entirely different LDAP server you may need extensive edits to these files. If the team is simply looking to toggle the SSL flag, the following lines will be most important :

    The new secure "LDAP_PORT" and "USE_SSL" flags will need to be defined accordingly. Additional information on this may be found within the "infogixproperties.pdf" hosted on our support site :

    Infogix Assure Documentation

    Note : The aforementioned PDF is located within the "All Server Installation Documentation" link.

    If additional certificates are required for this handshake to take place, steps detailed within the following article may be followed :

    Where to import certificates into Assure, Insight, Perceive and ER

    Matthew Kennedy

    0
    Comment actions Permalink
  • Avatar
    Stephanie Brockway

    Our infrastructure team is hoping to move away from SSL to TLS.  Is that supported in Insight 9.3 or is that slated as an option in a future release?

    0
    Comment actions Permalink
  • Avatar
    Matthew Kennedy

    Stephanie,

    Is the team looking for support with a specific TLS version? Assure, Insight, Perceive and ER support TLS 1.2

    Matthew Kennedy

    0
    Comment actions Permalink
  • Avatar
    Stephanie Brockway

    I will find out.  Good to know the version.

     

    0
    Comment actions Permalink
  • Avatar
    Stephanie Brockway

    We want to move forward with TLS 1.2.  I presume that there are different property names we need to use.  Is that documented somewhere already?  If not, can you provide that?  Can you also confirm that when we change to using TLS, we will need to also go from using http to https?  Since Insight is an internally facing app here, I am thinking we should be ok with the democert that ships with the product, but if you have feedback on that I would welcome it.  Are there other settings we should consider as we try to remedy this security vulnerability (things we can check or that you are seeing others have crop up as issues for security)?

    0
    Comment actions Permalink
  • Avatar
    Matthew Kennedy

    The following article details what version of TLS is supported as well as how to implement :

    Checking and updating your TLS version

    Matthew Kennedy

    0
    Comment actions Permalink
  • Avatar
    Stephanie Brockway

    I appreciate the link about checking the version we need, but that article does not link to anything that tells us how to use TLS instead of SSL.  Do we add to the properties files?  There is no mention there.

    0
    Comment actions Permalink
  • Avatar
    Stephanie Brockway

    Can someone help me find some steps for what to update to actually use TLS instead of SSL.  That document did not have the Insight files to update and what entries in the properties files to make.  I would also want to know what considerations to think of when switching from http to https in general.  Our network support on this end says the vendor should be providing input on these as they don't know about the product.

    0
    Comment actions Permalink
  • Avatar
    Stephanie Brockway

    I am getting it that you think the article link should be all the help I need, but I know nothing about TLS or SSL and am not sure if we just use the implementation steps in the install guides for SSL and ignore that it says SSL or what.  I know there are entries in the properties files that need to be updated but they are all labelled SSL.  My internal folks that know more about SSL and TLS are deferring to the vendor for these questions. They can help me get certs and open ports but not configure Insight.  I am stuck.  I need a response.  I know you don't want this question to support...as my ticket was initially closed and I was told to use this forum.  Can someone please respond so we can get this going?

    0
    Comment actions Permalink
  • Avatar
    Matthew Kennedy

    Hi Stephanie,

    I apologize for the delayed response as I have been out of office for the past couple weeks. To enable the TLS 1.2 you may append the following to your "JAVA_OPTIONS" line within the appserver.properties :

    -Djdk.tls.client.protocols=TLSv1.2

    A redeploy will be required once this is in place. If you would like to walk through this together, feel free to open a case as I would be happy to assist directly over a 'zoom' call.

    Matthew Kennedy

    0
    Comment actions Permalink

Please sign in to leave a comment.