Knowlege base

How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite

Article ID: 602
Last updated: 22 Nov, 2019

Applies to:

Imagicle Application Suite rel. Spring 2018.3.1 and above

Description:

This how-to explains the necessary steps (with all external download links) to prepare the Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite.

Please, notice that the secure connection to SQL Server is not mandatory. However, it is recommended (for security reasons) if the SQL server is running on a different server. 

How-to:

Configuration Task List

  1. Check Imagicle Application Suite version and update if needed
  2. Check Microsoft® Windows Server® version and update if needed
  3. Edit Microsoft® Windows Server® Registry to enable TLS 1.2 as the only cryptographic protocol allowed
  4. Edit Microsoft® Windows Server® Registry to enable .NET Framework support for TLS 1.2
  5. Check Microsoft® SQL Server® version and update if needed
  6. Check Certificate requirements
  7. Configure the Application Suite to use secure connection to SQL Server (optional)
  8. Adjust the Application Suite SQL client version
  9. Complete HA-related configurations

1) Check Imagicle Application Suite version and update if needed

TLS 1.2 is supported by IAS rel. Spring 2018.3.1 or above.

To update Imagicle Application Suite please refer to our online admin guides.

If IAS ver. is 2020.Winter.1 or above, then Windows registry modifications are not required.

2) Check Microsoft® Windows Server® version and update if needed

It is mandatory to install specific updates onto Microsoft® Windows Server® before applying any further step.

Updates can be easily applied by running a Windows Update cycle, or by manually installing the following single hotfixes:

More info at the following link: KB4076494

After updating Microsoft® Windows Server® perform a reboot.

3) Edit Microsoft® Windows Server® Registry to enable TLS 1.2 as the only cryptographic protocol allowed

On the Microsoft® Windows Server® which hosts the Imagicle Application Suite, several Registry keys need to be modified in order to enable TLS 1.2, while disabling any weaker cryptographic protocol.

An easy and intuitive tool that automate the complex editing is currently available for download:

https://www.nartac.com/Downloads/IISCrypto/IISCrypto.exe

Once you downloaded IISCrypto tool, launch it and apply the following configurations:

  • Disable all protocols
  • Disable and re-enable TLS 1.2

More info on how IISCrypto tool works at the following link:

https://www.nartac.com/Blog/post/2013/04/19/IIS-Crypto-Explained.aspx

4) Edit Microsoft® Windows Server® Registry to enable .NET Framework support for TLS 1.2

NOTE: If IAS is ver. 2020.Winter.1 or above, please skip this paragraph.

To enable TLS 1.2 support for .NET Framework, 4 additional Registry keys must be added to the Microsoft® Windows Server® which hosts the Imagicle Application Suite:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] 
    "SchUseStrongCrypto"=dword:00000001 
    
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] 
    "SchUseStrongCrypto"=dword:00000001
    
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
    "SystemDefaultTlsVersions"=dword:00000001
    
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
    "SystemDefaultTlsVersions"=dword:00000001
    

You can use the attached file to merge the mentioned registry keys very quickly.

Once applied, perform a system reboot.

5) Check Microsoft® SQL Server® version and update if needed

To enable TLS 1.2, the minimum required database version is Microsoft® SQL Server® Express 2008 R2 SP3, while the SQL Express included up to ApplicationsSuite Spring 2019 Imagicle Installation Package is version 2008 R2 SP2. This means that, if you are relying on that setup, you will need to upgrade from the version 2008 R2 SP2 to SP3. Starting from Imagicle ApplicationSuite Summer 2019 the shipped version is Microsoft® SQL Server® Express 2017 which natively supports TLS 1.2 and does not require any additional installation.

More info at the following link: KB3135244

To upgrade from Microsoft® SQL Server® Express 2008 R2 SP2 installed on IAS to Microsoft® SQL Server® Express 2008 R2 SP3:

6) Check Certificate requirements

If you want to use a secure connection to SQL Server (not mandatory for this procedure), a valid certificate must be used by SQL Server.

If you already have a trusted certificate for the Imagicle Server please skip this session. Otherwise you can build a self-signed certificate suitable for a SQL Server in a lab/test environment, by following this procedure:

  • Login onto Imagicle Application Suite
  • Open a command prompt and move into the following Directory:
    <StonevoiceAS>\System\SSL
  • Launch the following command:

makecert -r -pe -n "CN=MININT-Q99PLQN.fareast.corp.microsoft.com" -b 10/16/2015 -e 12/01/2020 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -a sha256

  • The name of the certificate (CN=) must equal the server FQDN or full computer name of Imagicle Server

Following mandatory requirements of SQL certificate:

  • It must be valid thus the current system date and time should be between the Valid From and Valid To properties of the certificate.
  • It must be available into WCS "Personal" section (Computer account)
  • The Common Name (CN) in the Subject property of the certificate must be the same as the fully qualified domain name (FQDN) of the server computer.
  • It must be issued for server authentication so the Enhanced Key Usage property of the certificate should include 'Server Authentication (1.3.6.1.5.5.7.3.1)'.
  • It must be created by using the KeySpec option of 'AT_KEYEXCHANGE'.

Moreover, the certificate should be available in “Trusted root certification authorities”. If not available, you can export it without a private key from Personal Certificates and subsequently import it in Trusted Root Certificaton AuthoritiesCertificates. See below screenshots for the complete export/import procedure:

Certificate Export

Certificate Import

Import must be done on the machine where SQL Server instance is installed.

See this link for additional information.

Please notice that these requirements do not apply if you're going to establish a plain (unsecure) connection to SQL Server.

Also ensure the following:

  • The certificate must be listed in “Personal” section of WCS (check using certlm.msc)
  • The “Subject” property must equal server FQDN
  • Server authentication (eku=1.3.6.1.5.5.7.3.1) must be enabled
  • Must be created with KeySpec option set to “AT_KEYEXCHANGE”
  • Must also be listed in “Trusted root certification authority” section: if not listed, copy from “Personal/Certificates” section .
  • Check certificate permissions: “NETWORK SERVICE” user must be present and have Full control

7) SQL Server Engine Configuration

To allow encrypted connections to SQL Server, you must configure a certificate. This is accomplished in two different ways:

  1. Using own trusted certificate (in production environments):
  • Pls. start SQL Server Configuration Manager and select “SQL Server Network Configuration” →  “Protocols for IMAGICLE”. Right-click on “Properties” and select “Certificate” tab. Here you can add your own trusted certificate.

  1. Using a self-signed, auto-generated user's certificate (test environments):
  • Pls. start SQL Server Configuration Manager and select “SQL Server Network Configuration” →  “Protocols for IMAGICLE”. Right-click on “Properties” and select “Certificate” tab. Here you can add new self-signed certificate (check certificate requirements for SQL Server).

8) Configure the Application Suite to use secure connection to SQL Server (optional)

Secure connection to SQL server is not mandatory for TLS setup. However, it is reccomended, for secutity reasons, when SQL server runs on a different server.

If you want to use a secure connection to the SQL Server, run the Imagicle AS Database Configuration tool (from Start Menu/Imagicle Application Suite), then select the “Use secure connection” checkbox and complete the procedure following the configuration wizard’s instructions.

If an external SQL Server is used, the FQDN must be entered in the SQL Server location

8) Adjust the Application Suite SQL client version

Regardless you are using or not a secure connection to SQL, you need to increase the SQL client version used by the Imagicle services to connect to the database:

  1. Edit the file StonevoiceAS\System\SvSasDB.ini and replace the word 'SQLNCLI10 ' with 'SQLNCLI11'.
  2. Save the file.
  3. Stop and Start all Imagicle services or restart the server.

9) Complete HA-related configurations

In case of an HA environment, ensure all servers have all cluster certificates imported.

Article ID: 602
Last updated: 22 Nov, 2019
Revision: 16
Views: 761
Print Export to PDF Subscribe Share
This article was:  
Attached files
file TLS_1.2_NetFramework_RegistrySettings.zip (406 b)

Prev   Next
How to monitor IAS Performance Counters     How to migrate IAS data to a new SQL Server instance