Does Policy server supports TLSv1.1/TLSv1.2 protocol for LDAP connectivity with Policy Store/User Store

Document ID:  TEC2147705
Last Modified Date:  07/06/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Single Sign-On

Releases

  • CA Single Sign-On:Release:12.52 SP2
  • CA Single Sign-On:Release:12.52 SP1
  • CA Single Sign-On:Release:12.51
  • CA Single Sign-On:Release:12.0.3 CA SiteMinder

Components

  • SITEMINDER -POLICY SERVER:SMPLC
Introduction:

Customer wants to disable SSL protocol and enable TLSv1.1/ TLSv1.2 for Policy server connection with LDAP Policy store/User Store.

Question:

Does Policy server supports TLSv1.1/ TLSv1.2 protocol for LDAP connectivity with Policy Store/User Store?

Environment:
Policy Server Version : R12.0SP3 and above
Answer:

 

What determines the Policy Server supportability to various SSL/TLS protocols with respect to LDAP connection?

The Policy Server uses a Mozilla LDAP SDK to communicate with LDAP directories (Policy store/User Store etc.)

These libraries are deployed under Policy server bin folder. The main library being Network Security Services Base Library : nss3.dll (windows)/libnssutil3.so (Unix)

So,  support for different security protocol SSL/TLS 1.0/1.1/1.2 etc primarily depends on whether the bundled NSS library support it or not.

Support for TLS v 1.1  (RFC 4346) is available from NSS 3.14

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.14_release_notes

Support for TLS v 1.2 (RFC 5246) is available from NSS 3.15.1

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.15.1_release_notes

 

Does Policy server supports TLSv1.2 protocol for LDAP connectivity with Policy Store/User Store?

As seen above , this depends on the version of the NSS libraries shipped. Now let’s look at the NSS libraries version shipped with different Policy server version

  • R12.SP3CR12  = NSS 3.3.2.0
  • R12.51CR6 onwards until CR10 = NSS 3.14.3.0
  • R12.52SP1 CR7 onwards = NSS 3.28.1
  • R12.52SP2 until CR1  = NSS 3.14.3.0
  • R12.6 = NSS 3.20

 

Conclusion:

 

  • R12.0SP3CR12 doesn’t have support for TLS protocol. It supports only SSL.
  • R12.51CR6 onwards , we have support for TLS but only upto TLSv1.0 ( due to some internal limitation we don't support TLSv1.1). However, you can request a NIN for this as we have already certified NSS 3.30.2 libraries for this release (CA only refer: DE300577)
  • R12.52SP1 CR7 onwards we have support for both TLS v1.1 & TLS v1.2
  • R12.52SP2 until CR1 doesn't have support for TLSv 1.1 & TLSV v1.2 (Open support ticket if you need a NIN for this release)
  • R12.6 onwards we have support for both TLS v1.1 & TLS v1.2

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing