Tansport Layer Cipher


We want to update the cipher suite (SSL Cipher Suite Order) on a windows server that is currently hosting QPM Self-service site and the QPM Service (5.5.2). We know that the version has reached end-of-life, and are in the process of updating.

I know that the administration gui lets you chose a certificate for communicating between the self-service instance and the service itself, and that you set encryption/hashing for storing sensitive Q/A information once in Active Directory. What I cant seem to find is any specification on what transport level security (TLS/SSL) that Password manager uses to communicate with Active Directory?

In other words, what ciphers need to be kept as allowed in order for Password Manager to keep functioning and integrating normally?

  • I would recommend to look at PWM tech documentation, maybe open SR to reach Product Management.

    As far I remember, many year ago, PWM used to pass "exam" to satisfy formal compliance rules (encryption, transport/passing information between end-points, IIS/Website URL attack etc.) That included the technology used  for communication between end-points (like Secure Windows Transport layer, SSL and many other layer). I recall the list of Transfers layers protocol were provided in some official tech docs.

    #1. DMZ\IIS\PMUser website (client) talks in secure matter to Intranet\PM Management Service (server). It includes SSL and can be changed multiple times on DMZ\IIS. It might require reinstall "client side" the DMZ\IIS\PMUser client website.

    #2. Encryption Key (for Q/A storage) is set once and for all original deployment on PM Service (Server side) and has nothing to do with #1 and "survives" all upgrades.

    Upgrade from 5.5.x to 5.8.2 is not straightforward. Concerns: Rollback, changing Q/A stored (client side, huge dependency and once-for-all users (!), Changing Server side Windows OS and SQL/SSRS version). I implemented the upgrade few times and would recommend to talk to PSO: upgrade big picture includes your questions. At the end, maybe the reinstalling legacy 5.5.2 DMZ\IIS will not be necessary as part of Upgrade roadmap.