Hello Rodney,

I can see that you have opened, as I would have suggested, a ticket with Technical Support.

It would seem it is an issue with a Python Library, but let elevate this to Development now and see what they tell us.

Thanks.

Regards,

Luciano Testa

It concerns me this wasn't tested before release.  Every release since 6.4.2 has been a mess for one reason or another.  Please do better QC

Thanks for reporting this, I was in a process of upgrading to 6.4.3.

Can be this fixed ASAP ?

Hello,

Development is working on a fix right now.

6.4.3 has temporarily been removed from the update channel until this is done.

My apologies.

Thanks.

Regards,

Luciano Testa

I see there is a solution for that in knowledge base: https://portal.microfocus.com/s/article/KM000029147

But 6.4.3 still seems to be withdrawn from the channels - is there a time frame for when it will be back?

We are looking forward for an update that hopefully will solve the problems introduced with 6.4.2.

Best regards,

Mirko Guldner

Hello,

Development is working on 6.4.3 as we speak to have re-released as soon as they can, but there is not a date yet for this.

Thanks.

Regards,

Luciano Testa

Thanks for notification. I also saw this in release notes:

If you use eDirectory for your LDAP repository, before upgrading to Advanced Authentication 6.4 Service Pack 3, ensure to modify the LDAP server configuration in the NetIQ iManager for eDirectory to either one of the following ways:

Hello Sebastian,

I will ask for more information on this, but I suppose it means to have eDir to use the latest ciphers set, that's all.

It's not asking to switch to EC either, if you can. Either way.

Thanks.

Regards,

Luciano Testa

I'm asking because there are multiple configurations on eDirectory LDAP server, like:

- Bind restrictions for Ciphers (is High Cipher good enough or we need SuiteB?):

- Protocols:

- Or specify ciphers directly:

I think documentation would need to be a bit more specific what is minimum requirement for AA TLS ciphers.

Kind regards,

Sebastijan

This Knowledge article has changed. There was a version before, that contained information how to set ciphers for LDAP in iManager. Don't know why they changed it - accidentally or because the solution did not work?

"Change the certificate used by eDirectory to SSL EC CertificateDNS and perform  steps 3 - 5 above" when there's nothing in 

https://portal.microfocus.com/s/article/KM000029147?language=en_US to read!

Hello,

I have informed Product Management and Development about this. Right now I can't add anything else.

Let's wait until they are online and can clarify this.

Thanks.

Regards,

Luciano Testa

Uncheck all Protocols except tls 1.2

in the Cypers box, enter the following

DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

I did upgrade to 6.4.3, without changing anything on eDirectory side synchronization is working.

Which bind settings do you have for the LDAP server? If it's "High Cipher" I guess this what is meant by "the current strong set of TLS ciphers for RSA certificates" in the release notes.

Next question would be: is this different for OES or eDirectory versions? Which version do you have?

Hello,

Here is the formal recommendation from engineering:

In the new release of AA 6.4.3.0-340, we now support/use the set of cipher-suites configured in the Policies > HTTPS Options > Advanced SSL Settings > Pre-defined SSL ciphersuite options.  

We recommend that customers change to use an EC certificate if they can.  Once using an EC certificate,  we also recommend that the Policies > HTTPS Options > Advanced SSL Settings > Pre-defined SSL ciphersuite options should be set to SSL Labs score:90 (#1) or SSL Labs score: 100 

If a customer cannot use an EC certificate, they will need to use the "Less restrictive ciphers for backward compatibility" Pre-defined SSL ciphersuite. 

Thanks.

Regards,

Luciano Testa

Hello,

Here is the formal recommendation from engineering:

In the new release of AA 6.4.3.0-340, we now support/use the set of cipher-suites configured in the Policies > HTTPS Options > Advanced SSL Settings > Pre-defined SSL ciphersuite options.  

We recommend that customers change to use an EC certificate if they can.  Once using an EC certificate,  we also recommend that the Policies > HTTPS Options > Advanced SSL Settings > Pre-defined SSL ciphersuite options should be set to SSL Labs score:90 (#1) or SSL Labs score: 100 

If a customer cannot use an EC certificate, they will need to use the "Less restrictive ciphers for backward compatibility" Pre-defined SSL ciphersuite. 

Thanks.

Regards,

Luciano Testa