Engine <-> RL SSL/TLS compatibility

It's been a while since Heartbleed etc forced SSL/TLS updates in IDM, does
anyone remember exactly which versions of Engine and RL happily connect over
SSL/TLS and which ones complain about unsupported/non-matching ciphersuites?
More specifically: will engine 4.6.2 happily talk to a 4.5.3 remote loader?

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
  • As I recall it all depends on the Java version behind the engine, or at
    least that is the majority of the reason for a problem, so if you can tell
    which IDM versions have which versions of Java you can probably work out
    the rest.

    I THINK that if you are on the latest SPs of 4.5 and 4.6 that they will
    work well together, as I think IDM 4.5 was up to a semi-recent version of
    Java 1.8 with its last patch. You could always patch just the Java piece
    to correct that if you wanted, but it would probably be easier to just
    patch the Remote Loader (RL) side fully.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • I suppose it would be nice to have TID# 7003488 updated with at least a
    fwe of the later 4.5 SPs as well as something from 4.6 so at least one SP
    of each version is shown together. Of course, 4.5 is EoL, so that may be
    a waste of time now where before this was done with current products.


    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • Hi Lothar,
    Could you upgrade your Remote Loader at least to v4.5.4?

    Official compatibility map include next configuration: Identity Manager Engine 4.6 or later (Identity Manager Engine) works with Remote Loader 4.5.4 or later 64-bit

    https://www.netiq.com/documentation/identity-manager-47-drivers/remoteloader_engine_version_comp_table/data/remoteloader_engine_version_comp_table.html
  • al b wrote:

    > Could you upgrade your Remote Loader at least to v4.5.4?


    Yes, I could (and will at some point) - but the real question is: do I have to
    (at this moment) and will an engine-only update break all SSL/TLS enabled
    remote loader communication or not. Ône engine server vs. several, not so easy
    to update RLs...

    > Official compatibility map include next configuration: *Identity Manager
    > Engine 4.6 or later* (Identity Manager Engine) works with *Remote Loader
    > 4.5.4 or later 64-bit*
    >
    >

    https://www.netiq.com/documentation/identity-manager-47-drivers/remoteloader_engine_version_comp_table/data/remoteloader_engine_version_comp_table.html

    Great find, though it seems a little weird that engine 4.7 seems incompatible
    with RL 4.7 according to that table... ;-)

    --
    http://www.is4it.de/en/solution/identity-access-management/

    (If you find this post helpful, please click on the star below.)
  • ab wrote:

    > As I recall it all depends on the Java version behind the engine, or at
    > least that is the majority of the reason for a problem, so if you can tell
    > which IDM versions have which versions of Java you can probably work out
    > the rest.


    I seem to remember one had to have a certain minimum Java version to support
    TLS, and SSL was supported only up to a certain IDM max version. Just where
    those borders are exactly I do not recall...

    > I THINK that if you are on the latest SPs of 4.5 and 4.6 that they will
    > work well together, as I think IDM 4.5 was up to a semi-recent version of
    > Java 1.8 with its last patch.


    Alex' link seems to confirm that.

    > You could always patch just the Java piece
    > to correct that if you wanted, but it would probably be easier to just
    > patch the Remote Loader (RL) side fully.


    Problem is that it will take a significant amount of additional time and effort
    to get the RLs updated right now. On the other hand the engine update is quite
    urgent...

    --
    http://www.is4it.de/en/solution/identity-access-management/

    (If you find this post helpful, please click on the star below.)
  • lhaeger;2484070 wrote:
    al b wrote:

    > Could you upgrade your Remote Loader at least to v4.5.4?


    Yes, I could (and will at some point) - but the real question is: do I have to
    (at this moment) and will an engine-only update break all SSL/TLS enabled
    remote loader communication or not. Ône engine server vs. several, not so easy
    to update RLs...

    > Official compatibility map include next configuration: *Identity Manager
    > Engine 4.6 or later* (Identity Manager Engine) works with *Remote Loader
    > 4.5.4 or later 64-bit*
    >
    >

    https://www.netiq.com/documentation/identity-manager-47-drivers/remoteloader_engine_version_comp_table/data/remoteloader_engine_version_comp_table.html

    Great find, though it seems a little weird that engine 4.7 seems incompatible
    with RL 4.7 according to that table... ;-)

    --
    http://www.is4it.de/en/solution/identity-access-management/

    (If you find this post helpful, please click on the star below.)


    Someone has tired eyes...

    ...or later


    :p
  • On 07/16/2018 03:34 PM, ScorpionSting wrote:
    >
    >> (If you find this post helpful, please click on the star below.)

    >
    > Someone has tired eyes...
    >
    >> ...or later


    I think in general, meaning unless explicitly stated otherwise, "or later"
    means subsequent patches, not subsequent versions. The difference is
    slight, but I think it is worth calling out since it is how everything
    I've ever seen works. The reasoning is that patches are not made to
    introduce new functionality, broke old things, unless absolutely
    necessary, e.g. when fixing security issues (as was the case with the
    TLS/SSL changes Java put in). New versions, of course, may change
    everything, so a statement indicating that 4.5 and 4.6 work together a
    bit, with "or later", implies patches of 4.5 and/or 4.6 (wherever the "or
    later was), and not 4.7, 4.8, 5.0, 8.0, 15.0, and every other version that
    will come.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • Lothar Haeger wrote:

    > It's been a while since Heartbleed etc forced SSL/TLS updates in IDM, does
    > anyone remember exactly which versions of Engine and RL happily connect over
    > SSL/TLS and which ones complain about unsupported/non-matching ciphersuites?


    Just stumbled over https://support.microfocus.com/kb/doc.php?id=7003488 which
    answers my initial question in the Notes:

    01) Due to SSL security fixes, When applying patch 4.0.2.7 or later to IDM
    4.0.2 both engine and remote loader need to receive the patch, otherwise they
    will not connect via SSL.

    02) Due to SSL security fixes, When applying patch 4.5.0.1 or later to IDM
    4.5.0 both engine and remote loader need to receive the patch, otherwise they
    will not connect via SSL.

    --
    http://www.is4it.de/en/solution/identity-access-management/

    (If you find this post helpful, please click on the star below.)
  • On 10/6/2018 10:23 AM, Lothar Haeger wrote:
    > Lothar Haeger wrote:
    >
    >> It's been a while since Heartbleed etc forced SSL/TLS updates in IDM, does
    >> anyone remember exactly which versions of Engine and RL happily connect over
    >> SSL/TLS and which ones complain about unsupported/non-matching ciphersuites?

    >
    > Just stumbled over https://support.microfocus.com/kb/doc.php?id=7003488 which
    > answers my initial question in the Notes:
    >
    > 01) Due to SSL security fixes, When applying patch 4.0.2.7 or later to IDM
    > 4.0.2 both engine and remote loader need to receive the patch, otherwise they
    > will not connect via SSL.
    >
    > 02) Due to SSL security fixes, When applying patch 4.5.0.1 or later to IDM
    > 4.5.0 both engine and remote loader need to receive the patch, otherwise they
    > will not connect via SSL.


    Good to nail down the specific versions. But I think it is really based
    on the underlying JVM. So in principle, you could 'fix' this without a
    version change by just making the JVM's match. (Probably easier on the
    RL side).