Configuring HCL Compass with LDAP user authentication for TLS 1.2 to support NIST SP 800-131A guidelines

You must configure LDAP for HCL Compass authentication to support Transport Layer Security 1.2 (TLS 1.2) and NIST SP 800-131A guidelines.

About this task

You must update the LDAP server and the HCL Compass LDAP configuration to support your required level of the TLS protocol. Different versions of the TLS protocol provide support for various security improvements. U.S. Government organizations may be required to support NIST SP 800-131A guidelines http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf. Non-governmental organizations may also wish to use the security enhancements of TLS. HCL Compass, and later versions, provide support for TLS 1.2 and TLS 1.1 which support NIST SP 800-131A guidelines. TLS 1.0 is also supported.

You must update the LDAP server and the HCL Compass LDAP configuration to support your required level of the TLS protocol.

It is best to perform the following instructions in a test environment so that you do not disrupt production use of HCL Compass until you have validated correct CQ LDAP user authentication.

First, follow your LDAP server's instructions on how to configure the LDAP server to support the desired level of TLS protocol.

Second, configure your HCL Compass LDAP installation to support the same level of TLS protocol using the following instructions.

HCL Compass adds two new options "-S" and "-C" to "installutil setldapinit" to set the configuration for supporting your desired level of TLS protocol version to your LDAP server.

d
-S means LDAP_OPT_SSL_SECURITY_PROTOCOL can be set with value TLS10, TLS11 and TLS12, or multiple values of them connected by comma.
-C means LDAP_OPT_SSL_CIPHER_EX, has a long list of supporting values, and can be set to one or more comma delimited value(s). Refer to your LDAP server admin for this option value(s).

The following ciphers are supported by the TLS 1.2 protocol:

TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Because of "CVE-2016-2183 , Sweet32: Birthday attacks on 64-bit block ciphers in TLS", we recommend only using the following secure ciphers:

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 

To support the LDAP TLS 1.2 exclusively, the "-S" needs to be set with value TLS12. "-C" also needs to be set with the cipher value(s) which the LDAP server supports, and the administrator decides upon. Remember to set both "-Z" and "-K" to enable the SSL connection and provide the keystore file.

A sample command is like below:

installutil setldapinit 8.0.0 admin "" "-h ldapserver -Z -K 'win:c:\key.kdb;unix:/tmp/key.kdb' -S TLS12 -C TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"

Refer to your LDAP server admin for the configurations on the server side. The HCL Compass administrator needs to set the correct values to connect to the LDAP server correctly.

The two new options must either be set together, or none of them be set to be compatible with the old behavior of supporting only TLS1.0. You will get an error when validating the LDAP connection when missed one option. For example, if only "-C" option is set, you will get the following error when validating the LDAP connection:

CRMMD1848E The LDAP initialization parameters are invalid:
The required option is missing: -S

Please refer to the Setting the HCL Compass LDAP connection information for SSL topic for more details.