search cancel

Troubleshooting TLS Issues for ITMS 8.1

book

Article ID: 174672

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Troubleshooting TLS Issues for IT Management Suite (ITMS) 8.1

Environment

ITMS 8.1

Resolution

How to Enable TLS 1.1 and 1.2 and Disable TLS 1.0 for ITMS 8.1 RU7

 

Warning: Do not disable TLS 1.0 in the Notification or Site Server communication profiles until you have followed all these steps and have verified that your Cloud Enabled Management (CEM) Symantec Management Agents (SMAs) have received the updated policies.

Preparation – Patch and Backup/Snapshot

  1. Patch all client and server machines -->  Support for SSL/TLS protocols on Windows
  2. Patch SQL Server --> TLS 1.2 support for Microsoft SQL Server.  Please also see FIX: You cannot use the Transport Layer Security protocol version 1.2 to connect to a server that is running SQL Server 2014 or SQL Server 2012
  3. Backup/Snapshot the Notification Server, SQL Server housing the CMDB, and Site Servers

Use IIS Crypto to verify and change Protocol Settings on your ITMS servers.

  1. Make a backup of your Windows Registry.
  2. In this example, we will use IIS Crypto to enable TLS 1.1 and 1.2 on the Notification Server.
    1. Do NOT change the Ciphers, Hashes, or Key Exchanges.
    2. Use the "Schannel" tab (Red Arrow below) in IIS Cyrpto to enable TLS 1.1 and 1.2. Boxes with grayed-out arrows indicate the protocol is installed but the registry keys have not been created.
    3. To enable the protocols, uncheck & recheck the boxes for TLS 1.1 & 1.2 for the Server Protocols (In yellow below) & the Client Protocols (in orange below).
    4. After you uncheck and recheck the boxes for TLS 1.1 and 1.2 for the Server Protocols and the Client Protocols, you will see the following:
    5. Notice that the checks in the boxes are no longer grayed-out.
    6. Click "Apply" and then reboot the computer for the changes to take effect.
    7. Make another backup of your Windows Registry.
    8. Using Regedit, go to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
    9. You will see that TLS 1.1 and 1.2 for Client and Server are now enabled.
  3. On each ITMS server, open Regedit and browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL, then edit EventLogging to a value of “4”.  For more information see, How to enable Schannel event logging in IIS

  1. This will enable Schannel Event logging in the System Event log. For more information on Schannel Events that you may see in the System Event log, see Schannel Events.

  1. If you make a mistake editing the Protocols with IIS Crypto you should restore the Windows Registry using one of the backups you made above. Although not as reliable as a backup, you may also open IIS Crypto, go the “Templates” tab, select “Server Defaults” from the drop-down box, and then click the “Apply” button (Please make a backup of the Windows Registry before).

 

Use the Symantec Management Console to change the Communication Profiles

  1. Use Symantec Management Console to change the Communication Profiles for the Notification Server and the Site servers. Click on the "Edit" link next to "SSL certificates are defined for current profile" and check the TLS 1.1. and 1.2 boxes.
  2. Do NOT uncheck the TLS 1.0 box until the clients have had a chance to receive the configuration update about TLS 1.1 and 1.2. Doing so will result in the complete loss of communication between the Symantec Management Agents to the Notification and Site Servers.

 

Notification Server Communication Profile

After checking the TLS 1.1 and TLS 1.2 boxes (highlighted in yellow above), click “OK” and then “Save Changes.

 

 

 

 

 

 

 

 

 

 

 

Site Server(s) Communication Profile

After checking the TLS 1.1 and TLS 1.2 boxes (highlighted in yellow above), click “OK” and then “Save Changes.

  1. Allow all clients time to receive the new communication profile information from Step 2.

 

 

 

 

 

 

 

 

 

 

 

 

 

  1. Using a few client machines, including CEM client machines, verify that the new communication profiles have been received by doing the following:
    1. Open a command prompt as Administrator and go to [Install Drive]\Program Files\Altiris\Altiris Agent.
    2. Run the following command: aexagentutil  /diags
    3. Open the Symantec Management Agent and go to the “Agent Settings” tab. You will see all Cryptographic protocols that have been enabled (see highlight below).

Changes to the Symantec Gateway Server

  1. Backup or Snapshot the Gateway Server
  2. On the Gateway Server, Backup the contents of the <Install Drive>\Program Files\Symantec\SMP Internet Gateway\Apache\conf
  3. Using the Backup copy created in Step 2 above, open the httpd.conf file with Notepad ++ and find the #SSL section.

Look for the following in the #SSL section:

SSLProtocol ALL -SSLv2 -SSLv3

SSLProtocol ALL - SSLv2 -SSLv3 means that TLSv1, TLSv1.1, and TLS1.2 are enabled and that SSLv2 and SSLv3 are disabled.  SSLv2 is the predecessor to SSLv3 is the predecessor to TLSv1.

For more information see the SSL Protocol Directive.

 

If you see “SSLProtocol ALL -SSLv2 -SSLv3” (minus the quotes, highlighted in yellow below) TLSv1 TLSv1.1 TLSv1.2 are all enabled.

Also, if you see “SSLProtocol TLSv1 TLSv1.1 TLSv1.2” (minus the quotes) you should be fine.

Do NOT disable TLSv1 at this point. Doing so will cause the CEM Symantec Management Agents to lose connection with the Gateway. In addition, they will not be able to connect to the Gateway and the Notification Servers to get their new connections profiles. This means that you will have to touch each of your machines or use automated methods outside of ITMS to make changes.

  1. Stop the Symantec Internet Gateway Server Manager by clicking the “Stop” button highlighted in yellow below.

  1. Copy the new httpd.conf that you edited in Step 3 above to the following location: <Install Drive>\Program Files\Symantec\SMP Internet Gateway\Apache\conf.
  2. Restart the Internet Gateway Server Manager by clicking on the “Start” button highlighted in yellow below.

  1. Using …, verify that the Symantec Gateway server is now communicating via TLSv1.0, TLSv1.1, and TLSv1.2.  Include screen shot.

Disabling TLSv1.0

You should wait until all clients have had ample time to update their configuration before disabling 1.0. If any of the steps

  1. ;laksdjfl;kj
  2. Alsdkfj;lkj
  3. A;lskdfj;lkj

Changes to IIS

  1. ;laksdjfl;kj
  2. Alsdkfj;lkj
  3. A;lskdfj;lkj

 

Attachments