MS Active Directory 2008 - Why no TLS 1.2 ?

As part of my ongoing mission to discover everything about everything, I was trying to retrieve a Signer Certificate from Active Directory 2008 R2 via LDAP, into my WAS 8.5.5 cell, using this command: -

cellID = AdminControl.getCell()

AdminTask.retrieveSignerFromPort('[-keyStoreName CellDefaultTrustStore -keyStoreScope (cell):'+cellID+' -host ad2008.uk.ibm.com -port 636 -certificateAlias ad2008.uk.ibm.com -sslConfigName CellDefaultSSLSettings -sslConfigScopeName (cell):'+cellID+' ]')

However, the command failed with: -

javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLHandshakeException: Server chose TLSv1, but that protocol version is not enabled or not supported by the client.

This occurs because I have WAS set to enforce TLS 1.2, whereas AD was only offering TLS v1.0, by default.

Thankfully this post came to my rescue: -

How to enable TLS 1.2 on Windows Server 2008 R2

It describes how one can edit the Registry (!) to enable TLS 1.2 and set it to by enabled as the default protocol.

From this, I created a registry file - enableTLS12.reg : -

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

which I can use whenever needed in the future.

Now the Signer Certificate imports without fail: -

'Signer Certificate Successfully added to keyStore.'

which is nice.