Enabling TLS UIM hub

book

Article ID: 144974

calendar_today

Updated On:

Products

NIMSOFT PROBES DX Infrastructure Management

Issue/Introduction

We have a problem when enabling TLS 1.2 for the UIM hub which is running on Linux. We want to enable secure communications between hubs and robots.

Cause

- scattered documentation

Environment

Release : 9.2.0

Component : UIM - HUB

Resolution

You need UIM v9.2.0 or higher to enable TLS 1.2 for hub <-> Robot communication:

CA Unified Infrastructure Management 9.2.0
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/9-0-2/release-notes/ca-uim-9-service-pack-1.html

See Release Comparison at:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/9-0-2/release-notes/release-comparison.html

and then refer to the section titled: Secure Hub and Robot

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/9-0-2/upgrading/ca-uim-upgrade-step-3-deploy-the-upgrade/upgrade-uim-server/secure-hub-and-robot-ca-uim-9-sp1.html


Hotfix site:
https://techdocs.broadcom.com/us/product-content/recommended-reading/technical-document-index/ca-unified-infrastructure-management-hotfix-index.html?r=2

Hotfixes that should be applied currently include:

hub-9.20HF6.zip
- or, hub_secure-9.20SHF6.zip for secure hubs

robot
robot_update-9.20HF9.zip
- or robot_update_secure-9.20SHF9.zip for secure robots

UMP902_HF2
- UMP 9.0.2 Hotfix 2

Additional Information

If you need to enable TLS for the tunnel configuration you can use the following which should also pass PCI as it is TLS1.2.

This works for hub version 7.93 or higher. 

  1. In IM, open the hub GUI
  2. Click on the Tunnels Tab
  3. Make sure Server 'Active' is checked if this is the Tunnel Server
  4. Under Security Settings click 'Custom'
  5. Inside the Custom box utilize the following "AESGCM:!aNULL" 
  6. Its recommended to recreate the SSL cert if one already existed.

At that point if you examine the hub.log on first start, and when the tunnels are initialized, you will see something to the effect of starting Tunnels with TLS Enabled.