How to force TLSv1.1, for outbound connections, on the Admin Console

  • 7016651
  • 03-Jul-2015
  • 03-Jul-2015

Environment

NetIQ Access Manager 4.1

Situation

While creating an Active Directory user store, if TLSv1.2 is disabled on Active Directory and one selects to use secure LDAP connection, both the "Validate" and "Auto import trusted root" options inside of the "Server Replicas" section fails.

If the configuration is pushed to the IDP, authentication will still work even though the "Validate" option fails with a message "connection reset"


Resolution

Disable TLv1.2 which will force TLSv1.1 for all outbound connections from the Admin console:

  1. On the Admin console, edit  /opt/novell/java/jre/lib/security/java.security
  2. Add TLSv1.2 to jdk.tls.disabledAlgorithms.  "jdk.tls.disabledAlgorithms=SSLv3,TLSv1.2"
  3. Restart novell-ac service. Run "/etc/init.d/novell-ac restart"

Cause

The Admin Console uses the highest TLS version available for outbout communication. However, if the TLSv1.2 is disabled on the ldap server, certains options won't work.

The IDP will try communication with the ldap server using both TLSv1.2 and TLSv1.1

The Admin console only tries with the highest protocol available, TLSv1.2