With Christmas nearly upon us, many people are busy planning for the festive season and starting to look forward to 2020. However, there might just be a nasty late Christmas present in store when Microsoft release their latest security update which is due towards March 2020.
The technical details can be found here.
The concern is around the LDAP signing requirement. In summary, a change is going to be introduced that changes the default behaviour of connections to Microsoft Active Directory (MSAD) that will result in "non-secure" connections being dropped. This means that attempts to log on to Oracle EPM (although it should be noted that this applies to any software that makes similar connections) may result in the following:
So, with that out of the way, how can you check whether this is likely to affect you? This can be done by confirming how each Microsoft Active Directory defined in Shared Services has been configured.
The following example shows one of the inlumi labs setups:
The SSL Enabled box tells us, that in this instance, we will have a problem. This was tested by amending the following registry key on the Domain Controller as detailed here:
HKLM – SYSTEM – CurrentControlSet – Services – NTDS – Parameters – ldapserverintegrity
We can simulate the anticipated Microsoft January 2020 LDAP change simply by amending the defined value from 1 to 2 on the Domain Controller.
Sure enough, this prevents any MSAD users from being able to log on. We then went through the process of SSL Enabling the MSAD Configuration (note that as well as ticking the box, certificates may need installing into each Java certificate store) and logons started working again.
What should you do? If you’re an EPM administrator then you should confirm how your MSAD’s are configured. If there are any that are not enabled for SSL you should discuss the January 2020 update with your IT department and look to enable SSL prior to then. Be aware that there could be other IT infrastructure that needs to be considered such as firewalls rules to allow the secure connections to traverse over the network.
A final word on our inlumi lab testing. While we have tested the core EPM products and DRM, we have yet to test components that require MSAD to be configured in WebLogic such as the DRM API, FCM etc.
If any assistance is needed to ensure you get off to a great new year, please get in touch with us.