Skip to main content
Kofax

Configuration Guide to Support TLS 1.2

Article # 3034678 - Page views: 168

Introduction

This document describes how to configure KCN Server and Remote Synchronization Agents to use
Transport Security Layer (TLS) 1.2. The goal of the configuration process is to accomplish the following:


1. Enable TLS 1.2 and related cryptographic algorithms.

2. Force the use of TLS 1.2 for .NET Framework applications.


No Kofax Capture product changes are necessary to support TLS 1.2. The purpose of this document is to
advise you of Windows configuration changes that are required to use KCN Server successfully in a TLS
1.2 environment. The configuration procedures should be performed by a person who has expertise and
detailed knowledge of the security policies and technical requirements for the environment where KCN
Server is deployed.

System requirements

The primary source of information about Kofax Capture requirements and dependencies on other
products is the Cross Product Compatibility Matrix, which is available on the Kofax website at
www.kofax.com. The matrix is updated regularly and we recommend that you review it carefully, to ensure
that you have the most current information.

Prerequisites

Before starting the configuration process, verify that your environment meets the following prerequisites:


▪ .NET Framework 4.5 or later is installed on IIS servers where KCN Web Server components are
installed and on remote site stations where Remote Synchronization Agents are running.

▪ IIS version 7.5 or later is installed on IIS Servers where KCN Web Server components are installed.

▪ KCN Server is configured to use HTTPS. Please refer to the Kofax Capture Installation Guide and the
Microsoft documentation for configuration instructions.

Configuration Procedure

Use this procedure to configure Kofax Capture 10.2 Remote Synchronization Agents to connect to the
KCN Server using TLS 1.2 to ensure secure web communication. Administrator privileges are required to
perform the registry key modifications in the procedure.

Registry Keys

Before proceeding, back up the registry keys to be modified when you follow the procedures in the IIS
Server and Remote Site Stations sections.


▪ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]

▪ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]

▪ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]


See the "Back up the registry" section of this Microsoft article ("How to back up and restore the registry in
Windows") for backup guidelines.

IIS Server

On the IIS server where the KCN Web Server components are installed, modify the registry to enable only
TLS 1.2 and related cryptographic algorithms.

1. See this Microsoft article ("How to restrict the use of certain cryptographic algorithms and protocols
in Schannel.dll") for modification instructions.

2. Restart the computer after modifications are complete.

Remote Site Stations

On the remote site stations, enable strong cryptography, which is required for use with TLS 1.2.
Follow the instructions in this Microsoft article ("Security Advisory 2960358"). Either install the update
mentioned in the article, or as another option, make the following registry modifications.
Although an update is available for systems running .NET Framework 4.5/4.5.1/4.5.2, the following
steps are intended primarily for customers with .NET Framework 4.5/4.5.1/4.5.2 applications running on systems with .NET Framework 4.6 present. For customers running only .NET Framework 4.5, 4.5.1, or
4.5.2, the manual steps serve as an optional alternative to installing the available update.

1. Use one of the following samples to create a text file with a .reg extension, as applicable:


▪ 64-bit systems:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001


▪ 32--bit systems:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001


Note If strong cryptography is disabled, SSL 3.0 and TLS 1.0 are used for secure connections.


2. Import the .reg file to the registry. See the "Restore the registry" section of this Microsoft article
("How to back up and restore the registry in Windows") for import guidelines.

3. Restart the computer after the import process is complete.

Level of Complexity 

High

 

Applies to  

Product Version Build Environment Hardware
Kofax Capture 11.x      

References

AppNote Kofax Capture Network Server Configuration Guide to Support TLS 1.2

 

Article # 3034678
  • Was this article helpful?