Tuesday, 10 November 2015

MS Active Directory 2008 - Why no TLS 1.2 ?

As part of my ongoing mission to discover everything about everything, I was trying to retrieve a Signer Certificate from Active Directory 2008 R2 via LDAP, into my WAS 8.5.5 cell, using this command: -

cellID = AdminControl.getCell()

AdminTask.retrieveSignerFromPort('[-keyStoreName CellDefaultTrustStore -keyStoreScope (cell):'+cellID+' -host ad2008.uk.ibm.com -port 636 -certificateAlias ad2008.uk.ibm.com -sslConfigName CellDefaultSSLSettings -sslConfigScopeName (cell):'+cellID+' ]')

However, the command failed with: -

javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLHandshakeException: Server chose TLSv1, but that protocol version is not enabled or not supported by the client.

This occurs because I have WAS set to enforce TLS 1.2, whereas AD was only offering TLS v1.0, by default.

Thankfully this post came to my rescue: -


It describes how one can edit the Registry (!) to enable TLS 1.2 and set it to by enabled as the default protocol.

From this, I created a registry file - enableTLS12.reg : -

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001


which I can use whenever needed in the future.

Now the Signer Certificate imports without fail: -

'Signer Certificate Successfully added to keyStore.'

which is nice.

No comments: