Enable older version of TLS on LDAP Generic VA Connector

Identity Security Cloud (ISC) ISC Discussion and Questions
, , ,
1

Hi!

I have configured the LDAP Generic Connector in ISC towards an OpenLDAP (2.4.31) source.

Unfortunately my clients OpenLDAP only supports TLSv1.2 along with some of the ciphers in the ciphers suite used with that version. Currently the test connection fails during handshaking process. Testing connection by setting the TLS-version and cipher explicitly with toolbox openssl on the VA solves the problem.

Questions:

  • Is it possible to specify on the VA which TLS version to use for a specific source?
  • Is it possible to specify on the VA which cipher suite to use for a specific source?

I would want to use this configuration:

TLS version: TLSv1.2
Cipher: AES256-SHA256 (cipher is TLS_RSA_WITH_AES_256_CBC_SHA256)

Thanks

2

Have you enabled TLS on the source connection configuration page?

For this level it might be best to open a ticket with SailPoint support there might be a security reason as to why TLS 1.2 is not enabled.

1 Like
3
  1. I have enabled TLS on the source configuration
  2. I’m using a self-signed certificate from the LDAP-server that I have imported in /home/sailpoint/certificates/ and then restarted ccg.
  3. Running “openssl s_client -connect serverfqdn:636 -tls1_2 -cipher AES256-SHA256” works from the VA so everything seems to be open between VA and LDAP-server.

I will contact support and see

4

Update: I was mistakenly believing that TLSv1.2 and AES256-SHA256 was not used from the VA but it does, it is probably negotiated between client and server.

I re-imported the certificate under /home/sailpoint/certificates and restarted ccg again and now it works.

5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.