You want to know how to switch to TLSv1.2 only, and what impact that will have with agent communications.
DCS 6.7 MP3 and above
If I enable TLSv1.2 only for UMC/DCS server of 6.7 MP3 and above versions, which DCS agents installed on the old OS would be affected?
Agent on Windows 2008, Windows 2003, Windows XP and older windows versions will fail to communicate and will be shown offline.
Agents installed on RHEL, SLES, Ubuntu OSes use Openssl package installed on OS. So if openssl version is older than v1.0.1 installed on OS then communication of those agents with DCS Manager will no longer work, Agents will fail to communicate and will be shown offline.
Note: Openssl versions 1.0.1 and above supports TLS 1.2. Refer to Openssl changelog section "Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1"
If Openssl 1.0.1 package is not available for certain versions of Linux OS then Communication of those agents will break.
e.g. RHEL 5.x and RHEL version before 6.5 do not have openssl 1.0.1 package available on their repository
Additionally following frozen platforms will also fail to communicate with DCS Manager server using TLS v1.2
- Red Hat Enterprise Linux 4
- SUSE Linux Enterprise Server 9
- Solaris 9
- HP-UX 11i V2 (11.23) (64-bit)
- HP-UX 11i V1 (11.11) (64-bit)
- Windows 2003
- Windows XP Professional
- Windows 2000
- Windows NT Server 4.0
AIX and Solaris:
AIX and Solaris x86 and sparc agents uses Openssl shipped with the agent installer. Those AIX and Solaris binaries in 6.7.3 CD image ships Openssl version which supports TLS v1.2. OpenSSL version that we ship with 6.8.2 agents is 1.0.2u.
AIX 5 binary has updated version of (5.2.9. MP6 HF7) available for download. It is also shipped with Openssl version which supports TLS v1.2.
How do I make the change
Location: "/tomcat/conf" folder of DCS server installation path
1) Make a copy of the server.xml
2) Edit the server.xml, change the following parameters:
3) sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to sslEnabledProtocols="TLSv1.2" for all locations
4) sslProtocol="TLS" to sslProtocol="TLSv1.2" for all locations
5) Changes to ciphers may also be required
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
6) Save the server.xml
7) Restart the DCS Manager Service - Please note that the DCS Manager Service will need to be restarted for the changes take effect.