Node JS in ACE 11 FP12 seems to have changed it's default minimum TLS protocol to TLS v1.2 from TLS v1.0. I understand why this has happened and applaud it, however I am still stuck with authenticating against an older windows AD that does not support anything except for TLS 1.0 or maybe TLS 1.1.
ACE 11 FP10 did not have this issue, this can be seen by running the '<ace install location>/common/node/bin/node' command and typing 'tls'.
This affects the RestAdminListener ldapAuthorizeUrl and ldapUrl settings, forcing me to run them as 'ldap://' instead of 'ldaps://'. I will probably have to change to local authentication or disable the interface entirely if I can't find a solution. the mqweb component for MQ 9.2 had a nice solution involving overriding various java options, however the same doesn't seem to exist for the ACE11 RestAdmin interface.
I can set the tls version on the command line by running 'node --tls-min-v1.0'. However I can't see a way to pipe that into the startup commands/scripts or an equivalent environment variable or node.conf.yaml setting
Does anyone know if an environment variable can be set or a command run to change the minimum TLS version for the running ACE node?
Looks like I can set that in a .bash_profile or systemd environment variable...
edit:
Looks like that doesn't work. I'll keep going down that rabbit hole to see what else I can find
final edit: Got it working. For those interested I had to place a file into
/var/mqsi/common/profiles
I called it:
restAdminLowerTLSSecurity.sh
containing:
export NODE_OPTIONS='--tls-min-v1.0 --tls-max-v1.2'
Not sure the second part about max TLS version is required. Keeping it in until I get time for extensive testing.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum