Amazon AWS:

Amazon AWS plans to stop all software end clients using TLS 1.0/ 1.1 by 06/28/23, requiring all client connection to be minimal TLS v1.2.

Am I affected? 

This technical advisory is only relevant to customers using MarkLogic 9, 10 or 11 in conjunction with the AWS KMS or the Azure Key Vault. 

To establish if this is the case navigate to the KeyStore tab of your cluster configuration in the MarkLogic Admin UI and check if encryption is turned on, the KMS type is set to external and the “host name” is either an Azure Key Vault host or an AWS KMS host as illustrated below. 

Admin GUI Configuration for External KMS. Navigate to AdminGUI -> Configure ->Clusters->'Keystore' tab.

• Azure Key Vault

• AWS KMS

• • Query Console query to determine KMS config

xquery version "1.0-ml"; 
import module namespace admin = "http://marklogic.com/xdmp/admin" at "/MarkLogic/admin.xqy"; 

let $config := admin:get-configuration() 
return admin:cluster-get-keystore-kms-type($config)

==>  internal

Impact on MarkLogic Server

MarkLogic Server configured with external KMS (AWS or Azure KMS) will fail connecting with KMS Server without TLS v1.1, and as a result encrypted database will become offline. Encrypted Security Database without access to KMS Server will lead to Admin GUI not being accessible to perform any corrective Admin action, resulting in lockout situation. 

Admin would see below error code messages in ErrorLog.

XDMP-FORESTERR: Error in mount of forest AW-modules-1: XDMP-AZUREKEYVAULTERR 400 Bad Request code=NotSupported message="The caller is using an older TLS version for authentication to Key Vault.TLS 1.0 is no longer accepted by KeyVault Service.

MarkLogic Server connection to AWS S3 bucket will be impacted with connection failure as well and resulting backup and restore operation will fail.

Remediation and course of action

Once you establish that you are affected by verifying your configuration, please log a ticket with our technical support by visiting https://help.marklogic.com/Tickets/Submit/ and specify the exact version of MarkLogic Server you are running so the team can direct you to the appropriate remediation procedure. 

All customers using external KMS for encryption at rest in AWS or Azure KMS environment must upgrade to patch release.

Note: Mitigation is greatly simplified if the cluster is operational during the remediation process. DO NOT WAIT FOR THE ISSUE TO MANIFEST ITSELF BEFORE TAKING ACTION.

Impact and Remediation for DHS customers

AWS Data Hub Service (DHS) instances with service versions >= 3.0 are impacted due to their default usage of external AWS KMS endpoints for encryption at rest and S3 encryption.

MarkLogic CloudOps support team will initiate and open a ticket for affected customers arranging for any planned downtime and steps to remedy.

DHS Customers do not have action to take for the services hosted by MarkLogic CloudOps,  unless Customers also run their own on-prem clusters. In which case they should follow the outlined process for the non-DHS environment ("Impact on MarkLogic Server").

Upgrade Resources

• Documentation on Installation and Upgrade
• Upgrading from Previous Release
• Rolling Upgrades in Cluster
• Planning for a Rolling upgrades
• How do I upgrade from one one version to another version
• MarkLogic Upgrade FAQ