Dear eDir/IDM afficionados,

I am in the process of planning to upgrade our eDirectory / IDM
infrastructure to current versions. Furthermore i plan to tighten
security a bit. The servers are in a firewalled environment, not
accessible by the internet and only have needed ports open, still some
of my settings seem not to conform to security best practises.
I will post some questions the coming weeks and would be glad for any
valuable input and well meant guidance

------------------
Current environment:
------------------
eDirectory 8.8.8 Patch 2 (on Windows 2008 R2 64-bit)
Engine: Identity Manager 4.0.2.0 SE
AD-Driver version: 3.5.18 (on Windows 2008 R2 64-bit)

First i had a look at the 'Issues resolved' list of eDirectory for any
changes which might impact operation when upgrading. Since the most
important role the infrastructure has is LDAP authentication for some
applications, those seem most critical to me.
The following fixes caught my eye:

------------------
Fixes
------------------
Issues resolved in eDirectory 8.8 SP8 Patch 4
December 2014
NDSD - Standalone: 20805.07 OES11SP2: 20805.05

Poodle Security Vulnerability: LDAPS and HTTPS in eDirectory allow
SSLv3 for secure communication. (Bug 902049) (CVE-2014-3566)
Provide the option to disable SSLv3 through the LDAP Plugin (Bug
902051)

Issues resolved in eDirectory 8.8 SP8 Patch 8
June 2016
NDSD: 20809.20 (OES 20809.20)

LDAP now used HIGH ciphers for both upgrades and new server. (Bug
977816)
SSLv2 protocol completely disabled for LDAPS and HTTPS protocols.
(Bug 973549)

------------------
My current LDAP configuration on each ldap-server is:
iManager | LDAP Options | <specific ldap server> | Connections Tab:
'Require TLS for all operations' (checked) and 'Disable SSLv3'
(unchecked) and 'Bind Restrictions for Cipher' (NONE)

All LDAP connections in the trace are talking of 'New TLS connection
0x25fb5c99 from <ip-address>:<port>, monitor = 0xa38, index = 4.
------------------

------------------
Upgrade-Options
------------------
Regarding the upgrade path i seem to have two choices:
1. in-place upgrade to 8.8.8 Patch 9 HF2, then upgrade engine to 4.5.5,
upgrade remoteloaders (AD) to 4.5.5, and at last upgrade engine to 4.6,
then remoteloaders.
2. installing new windows server 2012 r2, installing edir 9.0.2 HF2,
installing platform agent 2011.1r5, integrating that in my tree. migrate
the certificate authority to a new server, then install idm 4.6, migrate
driversets to new servers and upgrade remoteloaders some time later to
4.6

So, if i'd upgrade to 8.8.8 Patch 9 HF2:
- is it correct to assume every ldaps connection is using tls?
- is it therefore ok to check 'disable sslv3'? or are there other
implications choosing that option?
- is it likely that any of the above mentioned fixes has a deleterious
effect on the ability to authenticate successfully? is there something
that needs to get checked beforehand? is any manual doing beforehand
needed (found nothing in the docs)?

The second option (add new servers) seems easier and less risky to me
though, will that (potentially) work that way. Or are there other steps
to take?


Thanks for any feedback, Florian


--
florianz
------------------------------------------------------------------------
florianz's Profile: https://forums.netiq.com/member.php?userid=309
View this thread: https://forums.netiq.com/showthread.php?t=57528