Assure DQ

We recieved the following notice about our InfogixInsight setup.  Can you advise how to fix/remedy this?  Insight is on our Windows Server and an Oracle Database back end.

"Security logs show that your application server is making unsecure LDAP Binds to Active Directory.  Due to this security risk, future updates to the active directory domain controllers will be blocking these types of requests.  Unless corrected, these changes will most likely render your application unusable.

Please work with your server team and application vendor to address this issue as soon as possible.  In most cases it may just need to change from normal LDAP to secure LDAPS.  In other cases, it may require an application patch or upgrade. 

The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.

Client IP address:

10.81.5.100:50728

Identity the client attempted to authenticate as:

PDD\srv-acrpluspdd

Binding Type: 1"

Hi Stephanie,

With Wildfly deployments, LDAP SSL communication is enabled by editing the following two property files :

<install_home>/config/<jvm>/userinfo.directory.properties
<install_home>/config/<jvm>/security.directory.properties

If this is an entirely different LDAP server you may need extensive edits to these files. If the team is simply looking to toggle the SSL flag, the following lines will be most important :

The new secure "LDAP_PORT" and "USE_SSL" flags will need to be defined accordingly. Additional information on this may be found within the "infogixproperties.pdf" hosted on our support site :

Infogix Assure Documentation

Note : The aforementioned PDF is located within the "All Server Installation Documentation" link.

If additional certificates are required for this handshake to take place, steps detailed within the following article may be followed :

Where to import certificates into Assure, Insight, Perceive and ER

Matthew Kennedy

Our infrastructure team is hoping to move away from SSL to TLS.  Is that supported in Insight 9.3 or is that slated as an option in a future release?

Stephanie,

Is the team looking for support with a specific TLS version? Assure, Insight, Perceive and ER support TLS 1.2

Matthew Kennedy

I will find out.  Good to know the version.

We want to move forward with TLS 1.2.  I presume that there are different property names we need to use.  Is that documented somewhere already?  If not, can you provide that?  Can you also confirm that when we change to using TLS, we will need to also go from using http to https?  Since Insight is an internally facing app here, I am thinking we should be ok with the democert that ships with the product, but if you have feedback on that I would welcome it.  Are there other settings we should consider as we try to remedy this security vulnerability (things we can check or that you are seeing others have crop up as issues for security)?

The following article details what version of TLS is supported as well as how to implement :

Checking and updating your TLS version

Matthew Kennedy

I appreciate the link about checking the version we need, but that article does not link to anything that tells us how to use TLS instead of SSL.  Do we add to the properties files?  There is no mention there.

Can someone help me find some steps for what to update to actually use TLS instead of SSL.  That document did not have the Insight files to update and what entries in the properties files to make.  I would also want to know what considerations to think of when switching from http to https in general.  Our network support on this end says the vendor should be providing input on these as they don't know about the product.

I am getting it that you think the article link should be all the help I need, but I know nothing about TLS or SSL and am not sure if we just use the implementation steps in the install guides for SSL and ignore that it says SSL or what.  I know there are entries in the properties files that need to be updated but they are all labelled SSL.  My internal folks that know more about SSL and TLS are deferring to the vendor for these questions. They can help me get certs and open ports but not configure Insight.  I am stuck.  I need a response.  I know you don't want this question to support...as my ticket was initially closed and I was told to use this forum.  Can someone please respond so we can get this going?

Hi Stephanie,

I apologize for the delayed response as I have been out of office for the past couple weeks. To enable the TLS 1.2 you may append the following to your "JAVA_OPTIONS" line within the appserver.properties :

-Djdk.tls.client.protocols=TLSv1.2

A redeploy will be required once this is in place. If you would like to walk through this together, feel free to open a case as I would be happy to assist directly over a 'zoom' call.

Matthew Kennedy