Error while upgrading the DCS or CSP manager "Unable to connect to the Database with the specified username and password. Please verify Database settings"
Critical System Protection 8.x
Data Center Security 6.x
TLS 1.0 & 1.1 need to be enabled on the CSP manager & database server during the upgrade, or database connection can't be made
Enable TLS 1.0 & 1.1 on the manager server & the SQL server:
NOTE: Making changes to the registry can cause unrecoverable system errors, and as such, it is recommended to take a backup of the registry before making any changes
Follow the below steps to enable TLS:
1. Stop the CSP manager services (on primary and tomcat manager)
2. On the CSP manager open the run regedit
3. Navigate to HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
4. Right click and select export to save a copy of the current registry settings
5. Find the below registry keys, and change the value for the "enabled" key to "0x00000000(1)" to enable tls communication for both
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
6. Reboot the DCS manager server to save the settings
7. Follow the step 2-5 on the Database server and restart the database server to save changes
8. Start the CSP manager services up and run the server.exe as administrator to complete the upgrade
TLS 1.0 & 1.1 are not required for use with the CSP agents, and as such, this setting can be changed back to disabled after the CSP manager upgrade is successful
If you wish to keep this setting in place after you have completed the upgrade, you may need to modify the server.xml to add the default TLS settings back for agent communication as noted below:
To modify the server.xml and add TLS 1.0 & TLS 1.1 back:
1. Stop the CSP manager service
2. On the CSP manager, navigate to "CSPInstallDirectory" \Symantec\Critical System Protection\server\tomcat\conf
3. Copy the server.xml and save it to a location outside of the server's install directory
4. Open the server.xml with a plain text editor and review the settings for TLS:
Default settings in the server.xml show as the below, if you have removed the Tlsv1 or TLS v1.1 setting from the server.xml, add them back for all of your DCS managers. Examples of All versions, and TLS 1.2 only below
All
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
Only TLS 1.2
sslEnabledProtocols="TLSv1.2"
5. Save the server.xml after making changes
6. Start the DCS manager services