How to prepare Imagicle server to support TLS protocol version 1.2 andenable it on the Application Suite

Applies to:

Imagicle Application Suite rel. Spring 2018.3.1 and above

Description:

This how-to explains the necessary steps (with all external download links) to prepare the Imagicle server to support TLS protocolversion 1.2 and enable it on the Application Suite.

Please, notice that the secure connection to SQL Server is not mandatory. However, it is recommended (for security reasons) if theSQL server is running on a different server.

How-to:

Configuration Task List

Check Imagicle Application Suite version and update if needed1. Check Microsoft® Windows Server® version and update if needed2. Edit Microsoft® Windows Server® Registry to enable TLS 1.2 as the only cryptographic protocol allowed3. Edit Microsoft® Windows Server® Registry to enable .NET Framework support for TLS 1.24. Check Microsoft® SQL Server® version and update if needed5. Check Certificate requirements6. Configure the Application Suite to use secure connection to SQL Server (optional)7. Adjust the Application Suite SQL client version8. Complete HA-related configurations9.

1) Check Imagicle Application Suite version and update if needed

TLS 1.2 is supported by IAS rel. Spring 2018.3.1 or above.

To update Imagicle Application Suite please refer to our online admin guides.

If IAS ver. is 2020.Winter.1 or above, then Windows registry modifications are not required.

2) Check Microsoft® Windows Server® version and update if needed

It is mandatory to install specific updates onto Microsoft® Windows Server® before applying any further step.

Updates can be easily applied by running a Windows Update cycle, or by manually installing the following single hotfixes:

KB4054980• KB4054990• KB4054999•

More info at the following link: KB4076494

After updating Microsoft® Windows Server® perform a reboot.

How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite1/16How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite

3) Edit Microsoft® Windows Server® Registry to enable TLS 1.2 as the only cryptographic protocolallowed

On the Microsoft® Windows Server® which hosts the Imagicle Application Suite, several Registry keys need to be modified inorder to enable TLS 1.2, while disabling any weaker cryptographic protocol.

An easy and intuitive tool that automate the complex editing is currently available for download:

https://www.nartac.com/Downloads/IISCrypto/IISCrypto.exe

Once you downloaded IISCrypto tool, launch it and apply the following configurations:

Disable all protocols• Disable and re-enable TLS 1.2•

More info on how IISCrypto tool works at the following link:

https://www.nartac.com/Blog/post/2013/04/19/IIS-Crypto-Explained.aspx

4) Edit Microsoft® Windows Server® Registry to enable .NET Framework support for TLS 1.2

NOTE: If IAS is ver. 2020.Winter.1 or above, please skip this paragraph.

To enable TLS 1.2 support for .NET Framework, 4 additional Registry keys must be added to the Microsoft® Windows Server®which hosts the Imagicle Application Suite:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

•

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

•

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]"SystemDefaultTlsVersions"=dword:00000001

•

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]"SystemDefaultTlsVersions"=dword:00000001

•

You can use the attached file to merge the mentioned registry keys very quickly.

Once applied, perform a system reboot.

How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite2/16How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite

5) Check Microsoft® SQL Server® version and update if needed

To enable TLS 1.2, the minimum required database version is Microsoft® SQL Server® Express 2008 R2 SP3, while the SQLExpress included up to ApplicationsSuite Spring 2019 Imagicle Installation Package is version 2008 R2 SP2. This means that, if youare relying on that setup, you will need to upgrade from the version 2008 R2 SP2 to SP3. Starting from Imagicle ApplicationSuiteSummer 2019 the shipped version is Microsoft® SQL Server® Express 2017 which natively supports TLS 1.2 and does not requireany additional installation.

More info at the following link: KB3135244

To upgrade from Microsoft® SQL Server® Express 2008 R2 SP2 installed on IAS to Microsoft® SQL Server® Express 2008 R2SP3:

Download and install the SP3 update and reboot:https://www.microsoft.com/en-US/download/details.aspx?id=44271

•

Download and install TLS 1.2 support and reboot:https://www.dropbox.com/home/R%26D/TLS%201.2/SQL%20server%202008%20R2?preview=490328_intl_i386_zip.exe

•

6) Check Certificate requirements

If you want to use a secure connection to SQL Server (not mandatory for this procedure), a valid certificate must be used by SQLServer.

If you already have a trusted certificate for the Imagicle Server please skip this session. Otherwise you can build a self-signedcertificate suitable for a SQL Server in a lab/test environment, by following this procedure:

Login onto Imagicle Application Suite• Open a command prompt and move into the following Directory:<StonevoiceAS>\System\SSL

•

Launch the following command:•

makecert -r -pe -n "CN=MININT-Q99PLQN.fareast.corp.microsoft.com" -b 10/16/2015 -e12/01/2020 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSASChannel Cryptographic Provider" -sy 12 -a sha256

The name of the certificate (CN=) must equal the server FQDN or full computer name of Imagicle Server•

Following mandatory requirements of SQL certificate:

It must be valid thus the current system date and time should be between the Valid From and Valid To properties of thecertificate.

•

It must be available into WCS "Personal" section (Computer account)• The Common Name (CN) in the Subject property of the certificate must be the same as the fully qualified domain name(FQDN) of the server computer.

•

It must be issued for server authentication so the Enhanced Key Usage property of the certificate should include 'ServerAuthentication (1.3.6.1.5.5.7.3.1)'.

•

It must be created by using the KeySpec option of 'AT_KEYEXCHANGE'.•

Moreover, the certificate should be available in "Trusted root certification authorities". If not available,you can export it without a private key from Personal � Certificates and subsequently import it inTrusted Root Certificaton Authorities � Certificates. See below screenshots for the completeexport/import procedure:

Certificate Export

How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite3/16How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite

How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite4/16How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite

How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite5/16How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite

How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite6/16How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite

Certificate Import

Import must be done on the machine where SQL Server instance is installed.

How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite7/16How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite

How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite8/16How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite

How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite9/16How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite

How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite10/16How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite

How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite11/16How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite

See this link for additional information.

Please notice that these requirements do not apply if you're going to establish a plain (unsecure) connection to SQL Server.

Also ensure the following:

The certificate must be listed in "Personal" section of WCS (check using certlm.msc)• The "Subject" property must equal server FQDN• Server authentication (eku=1.3.6.1.5.5.7.3.1) must be enabled• Must be created with KeySpec option set to "AT_KEYEXCHANGE"• Must also be listed in "Trusted root certification authority" section: if not listed, copy from "Personal/Certificates" section .• Check certificate permissions: "NETWORK SERVICE" user must be present and have Full control•

How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite12/16How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite

7) SQL Server Engine Configuration

To allow encrypted connections to SQL Server, you must configure a certificate. This is accomplished in two different ways:

Using own trusted certificate (in production environments):1.

Pls. start SQL Server Configuration Manager and select "SQL Server Network Configuration" � "Protocols forIMAGICLE". Right-click on "Properties" and select "Certificate" tab. Here you can add your own trusted certificate.

•

How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite13/16How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite

Using a self-signed, auto-generated user's certificate (test environments):2.

Pls. start SQL Server Configuration Manager and select "SQL Server Network Configuration" � "Protocols forIMAGICLE". Right-click on "Properties" and select "Certificate" tab. Here you can add new self-signed certificate (checkcertificate requirements for SQL Server).

•

How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite14/16How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite

8) Configure the Application Suite to use secure connection to SQL Server (optional)

Secure connection to SQL server is not mandatory for TLS setup. However, it is reccomended, for secutity reasons, when SQLserver runs on a different server.

If you want to use a secure connection to the SQL Server, run the Imagicle AS Database Configuration tool (from StartMenu/Imagicle Application Suite), then select the "Use secure connection" checkbox and complete the procedure following theconfiguration wizard's instructions.

How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite15/16How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite

If an external SQL Server is used, the FQDN must be entered in the SQL Server location

8) Adjust the Application Suite SQL client version

Regardless you are using or not a secure connection to SQL, you need to increase the SQL client version used by the Imagicleservices to connect to the database:

Edit the file StonevoiceAS\System\SvSasDB.ini and replace the word 'SQLNCLI10 ' with 'SQLNCLI11'.1. Save the file.2. Stop and Start all Imagicle services or restart the server.3.

9) Complete HA-related configurations

In case of an HA environment, ensure all servers have all cluster certificates imported.

How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite16/16How to prepare Imagicle server to support TLS protocol version 1.2 and enable it on the Application Suite