Highlighted
Knowledge Partner
Knowledge Partner
451 views

Engine <-> RL SSL/TLS compatibility

It's been a while since Heartbleed etc forced SSL/TLS updates in IDM, does
anyone remember exactly which versions of Engine and RL happily connect over
SSL/TLS and which ones complain about unsupported/non-matching ciphersuites?
More specifically: will engine 4.6.2 happily talk to a 4.5.3 remote loader?

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
Labels (1)
0 Likes
9 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: Engine <-> RL SSL/TLS compatibility

As I recall it all depends on the Java version behind the engine, or at
least that is the majority of the reason for a problem, so if you can tell
which IDM versions have which versions of Java you can probably work out
the rest.

I THINK that if you are on the latest SPs of 4.5 and 4.6 that they will
work well together, as I think IDM 4.5 was up to a semi-recent version of
Java 1.8 with its last patch. You could always patch just the Java piece
to correct that if you wanted, but it would probably be easier to just
patch the Remote Loader (RL) side fully.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Engine <-> RL SSL/TLS compatibility

I suppose it would be nice to have TID# 7003488 updated with at least a
fwe of the later 4.5 SPs as well as something from 4.6 so at least one SP
of each version is shown together. Of course, 4.5 is EoL, so that may be
a waste of time now where before this was done with current products.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Engine <-> RL SSL/TLS compatibility

ab wrote:

> As I recall it all depends on the Java version behind the engine, or at
> least that is the majority of the reason for a problem, so if you can tell
> which IDM versions have which versions of Java you can probably work out
> the rest.


I seem to remember one had to have a certain minimum Java version to support
TLS, and SSL was supported only up to a certain IDM max version. Just where
those borders are exactly I do not recall...

> I THINK that if you are on the latest SPs of 4.5 and 4.6 that they will
> work well together, as I think IDM 4.5 was up to a semi-recent version of
> Java 1.8 with its last patch.


Alex' link seems to confirm that.

> You could always patch just the Java piece
> to correct that if you wanted, but it would probably be easier to just
> patch the Remote Loader (RL) side fully.


Problem is that it will take a significant amount of additional time and effort
to get the RLs updated right now. On the other hand the engine update is quite
urgent...

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Engine <-> RL SSL/TLS compatibility

Hi Lothar,
Could you upgrade your Remote Loader at least to v4.5.4?

Official compatibility map include next configuration: Identity Manager Engine 4.6 or later (Identity Manager Engine) works with Remote Loader 4.5.4 or later 64-bit

https://www.netiq.com/documentation/identity-manager-47-drivers/remoteloader_engine_version_comp_table/data/remoteloader_engine_version_comp_table.html
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Engine <-> RL SSL/TLS compatibility

al b wrote:

> Could you upgrade your Remote Loader at least to v4.5.4?


Yes, I could (and will at some point) - but the real question is: do I have to
(at this moment) and will an engine-only update break all SSL/TLS enabled
remote loader communication or not. Ône engine server vs. several, not so easy
to update RLs...

> Official compatibility map include next configuration: *Identity Manager
> Engine 4.6 or later* (Identity Manager Engine) works with *Remote Loader
> 4.5.4 or later 64-bit*
>
>

https://www.netiq.com/documentation/identity-manager-47-drivers/remoteloader_engine_version_comp_table/data/remoteloader_engine_version_comp_table.html

Great find, though it seems a little weird that engine 4.7 seems incompatible
with RL 4.7 according to that table... 😉

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Engine <-> RL SSL/TLS compatibility

lhaeger;2484070 wrote:
al b wrote:

> Could you upgrade your Remote Loader at least to v4.5.4?


Yes, I could (and will at some point) - but the real question is: do I have to
(at this moment) and will an engine-only update break all SSL/TLS enabled
remote loader communication or not. Ône engine server vs. several, not so easy
to update RLs...

> Official compatibility map include next configuration: *Identity Manager
> Engine 4.6 or later* (Identity Manager Engine) works with *Remote Loader
> 4.5.4 or later 64-bit*
>
>

https://www.netiq.com/documentation/identity-manager-47-drivers/remoteloader_engine_version_comp_table/data/remoteloader_engine_version_comp_table.html

Great find, though it seems a little weird that engine 4.7 seems incompatible
with RL 4.7 according to that table... 😉

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)


Someone has tired eyes...

...or later


😛

Visit my Website for links to Cool Solution articles.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Engine <-> RL SSL/TLS compatibility

On 07/16/2018 03:34 PM, ScorpionSting wrote:
>
>> (If you find this post helpful, please click on the star below.)

>
> Someone has tired eyes...
>
>> ...or later


I think in general, meaning unless explicitly stated otherwise, "or later"
means subsequent patches, not subsequent versions. The difference is
slight, but I think it is worth calling out since it is how everything
I've ever seen works. The reasoning is that patches are not made to
introduce new functionality, broke old things, unless absolutely
necessary, e.g. when fixing security issues (as was the case with the
TLS/SSL changes Java put in). New versions, of course, may change
everything, so a statement indicating that 4.5 and 4.6 work together a
bit, with "or later", implies patches of 4.5 and/or 4.6 (wherever the "or
later was), and not 4.7, 4.8, 5.0, 8.0, 15.0, and every other version that
will come.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Engine <-> RL SSL/TLS compatibility

Lothar Haeger wrote:

> It's been a while since Heartbleed etc forced SSL/TLS updates in IDM, does
> anyone remember exactly which versions of Engine and RL happily connect over
> SSL/TLS and which ones complain about unsupported/non-matching ciphersuites?


Just stumbled over https://support.microfocus.com/kb/doc.php?id=7003488 which
answers my initial question in the Notes:

01) Due to SSL security fixes, When applying patch 4.0.2.7 or later to IDM
4.0.2 both engine and remote loader need to receive the patch, otherwise they
will not connect via SSL.

02) Due to SSL security fixes, When applying patch 4.5.0.1 or later to IDM
4.5.0 both engine and remote loader need to receive the patch, otherwise they
will not connect via SSL.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Engine <-> RL SSL/TLS compatibility

On 10/6/2018 10:23 AM, Lothar Haeger wrote:
> Lothar Haeger wrote:
>
>> It's been a while since Heartbleed etc forced SSL/TLS updates in IDM, does
>> anyone remember exactly which versions of Engine and RL happily connect over
>> SSL/TLS and which ones complain about unsupported/non-matching ciphersuites?

>
> Just stumbled over https://support.microfocus.com/kb/doc.php?id=7003488 which
> answers my initial question in the Notes:
>
> 01) Due to SSL security fixes, When applying patch 4.0.2.7 or later to IDM
> 4.0.2 both engine and remote loader need to receive the patch, otherwise they
> will not connect via SSL.
>
> 02) Due to SSL security fixes, When applying patch 4.5.0.1 or later to IDM
> 4.5.0 both engine and remote loader need to receive the patch, otherwise they
> will not connect via SSL.


Good to nail down the specific versions. But I think it is really based
on the underlying JVM. So in principle, you could 'fix' this without a
version change by just making the JVM's match. (Probably easier on the
RL side).


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.