ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Using Data Center Security (DCS) 6.7 MP3 and above with TLSv1.2 only

book

Article ID: 172365

calendar_today

Updated On:

Products

Data Center Security Monitoring Edition Data Center Security Server Data Center Security Server Advanced

Issue/Introduction

You want to know how to switch to TLSv1.2 only, and what impact that will have with agent communications.

Environment

DCS 6.7 MP3 and above

Resolution

If I enable TLSv1.2 only for UMC/DCS server of 6.7 MP3 and above versions, which DCS agents installed on the old OS would be affected?

Windows platforms:
Agent on Windows 2008, Windows 2003, Windows XP and older windows versions will fail to communicate and will be shown offline.

https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-?redirectedfrom=MSDN

                

Linux Platforms:
Agents installed on RHEL, SLES, Ubuntu OSes use Openssl package installed on OS. So if openssl version is older than v1.0.1 installed on OS then communication of those agents with DCS Manager will no longer work, Agents will fail to communicate and will be shown offline.

Note: Openssl versions 1.0.1 and above supports TLS 1.2. Refer to Openssl changelog section "Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1"
https://abi-laboratory.pro/tracker/changelog/openssl/1.0.1e/log.html

If Openssl 1.0.1 package is not available for certain versions of Linux OS then Communication of those agents will break.
e.g. RHEL 5.x and RHEL version before 6.5 do not have openssl 1.0.1 package available on their repository

Frozen Platforms:
Additionally following frozen platforms will also fail to communicate with DCS Manager server using TLS v1.2

-              Red Hat Enterprise Linux 4
-              SUSE Linux Enterprise Server 9
-              Solaris 9
-              HP-UX 11i V2 (11.23) (64-bit)
-              HP-UX 11i V1 (11.11) (64-bit)
-              Windows 2003
-              Windows XP Professional
-              Windows 2000
-              Windows NT Server 4.0

AIX and Solaris:
AIX and Solaris x86 and sparc agents uses Openssl shipped with the agent installer. Those AIX and Solaris binaries in 6.7.3 CD image ships Openssl version which supports TLS v1.2. OpenSSL version that we ship with 6.8.2 agents is 1.0.2u.

AIX 5 binary has updated version of (5.2.9. MP6 HF7) available for download. It is also shipped with Openssl version which supports TLS v1.2.

How do I make the change
Location: "/tomcat/conf" folder of DCS server installation path
Filename: server.xml

1) Make a copy of the server.xml

2) Edit the server.xml, change the following parameters:

3) sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to sslEnabledProtocols="TLSv1.2"  for all locations

4) sslProtocol="TLS" to sslProtocol="TLSv1.2" for all locations

5) Changes to ciphers may also be required

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,     TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

6) Save the server.xml 
7) Restart the DCS Manager Service - Please note that the DCS Manager Service will need to be restarted for the changes take effect.