As part of my ongoing mission to discover everything about everything, I was trying to retrieve a Signer Certificate from Active Directory 2008 R2 via LDAP, into my WAS 8.5.5 cell, using this command: -
cellID = AdminControl.getCell()
AdminTask.retrieveSignerFromPort('[-keyStoreName CellDefaultTrustStore -keyStoreScope (cell):'+cellID+' -host ad2008.uk.ibm.com -port 636 -certificateAlias ad2008.uk.ibm.com -sslConfigName CellDefaultSSLSettings -sslConfigScopeName (cell):'+cellID+' ]')
However, the command failed with: -
javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLHandshakeException: Server chose TLSv1, but that protocol version is not enabled or not supported by the client.
This occurs because I have WAS set to enforce TLS 1.2, whereas AD was only offering TLS v1.0, by default.
Thankfully this post came to my rescue: -
It describes how one can edit the Registry (!) to enable TLS 1.2 and set it to by enabled as the default protocol.
From this, I created a registry file - enableTLS12.reg : -
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
which I can use whenever needed in the future.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
which I can use whenever needed in the future.
Now the Signer Certificate imports without fail: -
'Signer Certificate Successfully added to keyStore.'
which is nice.