ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » ACE 11 FP12 - Node JS downgrade default TLS options

Post new topic  Reply to topic
 ACE 11 FP12 - Node JS downgrade default TLS options « View previous topic :: View next topic » 
Author Message
huwgb
PostPosted: Thu Apr 08, 2021 5:04 pm    Post subject: ACE 11 FP12 - Node JS downgrade default TLS options Reply with quote

Novice

Joined: 07 May 2013
Posts: 21

Hi,

Node JS in ACE 11 FP12 seems to have changed it's default minimum TLS protocol to TLS v1.2 from TLS v1.0. I understand why this has happened and applaud it, however I am still stuck with authenticating against an older windows AD that does not support anything except for TLS 1.0 or maybe TLS 1.1.

ACE 11 FP10 did not have this issue, this can be seen by running the '<ace install location>/common/node/bin/node' command and typing 'tls'.

This affects the RestAdminListener ldapAuthorizeUrl and ldapUrl settings, forcing me to run them as 'ldap://' instead of 'ldaps://'. I will probably have to change to local authentication or disable the interface entirely if I can't find a solution. the mqweb component for MQ 9.2 had a nice solution involving overriding various java options, however the same doesn't seem to exist for the ACE11 RestAdmin interface.

I can set the tls version on the command line by running 'node --tls-min-v1.0'. However I can't see a way to pipe that into the startup commands/scripts or an equivalent environment variable or node.conf.yaml setting

Does anyone know if an environment variable can be set or a command run to change the minimum TLS version for the running ACE node?

edit:
just found this:
https://www.ibm.com/support/pages/ibm-ace-tls-protocol-and-cipher-suits-configuration-restadminlistener-web-interface

export NODE_OPTIONS=--tls-min-v1.0

Looks like I can set that in a .bash_profile or systemd environment variable...


edit:
Looks like that doesn't work. I'll keep going down that rabbit hole to see what else I can find

final edit: Got it working. For those interested I had to place a file into
/var/mqsi/common/profiles
I called it:
restAdminLowerTLSSecurity.sh
containing:
export NODE_OPTIONS='--tls-min-v1.0 --tls-max-v1.2'

Not sure the second part about max TLS version is required. Keeping it in until I get time for extensive testing.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » ACE 11 FP12 - Node JS downgrade default TLS options
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.