Important

   

Starting version 8.9.03, BMC Server Automation is renamed to TrueSight Server Automation. This space contains information about BMC Server Automation 8.9.02 and previous versions. For TrueSight Server Automation 8.9.03 and later releases, see TrueSight Server Automation 8.9.

Configuring use of TLS version 1.2

Beginning with version 8.9.01 of BMC Server Automation, version 1.2 of the Transport Layer Security (TLS) protocol is supported for session layer security across the various communications legs between BMC Server Automation components.

This topic discusses the defaults and limitations of TLS 1.2 support, as well as how to override the default behavior.

Default behavior of TLS communication

Beginning with version 8.9.01 of BMC Server Automation, TLS version 1.2 is the default protocol for communication between the Application Servers and the RSCD Agents. However, earlier versions of TLS are supported, for backward compatibility, in certain cases.

TLS communication between the Application Servers and the RSCD Agents has the following default behavior, depending on the versions of the RSCD Agents:

  • All newly enrolled agents of version 8.9.01 use TLS version 1.2
  • After upgrading agents to 8.9.01, existing SSL sessions continue with the current TLS version until the SSL session expires (typically 24 hours after the connection was established), at which time communication is updated to TLS version 1.2.

  • Communication with agents of earlier versions (<8.9.01) continues with the existing default of TLS version 1.

Note

In the case of an upgrade to 8.9.01, ensure that the Network Shell component is upgraded to version 8.9.01 on the computer that hosts the BMC Server Automation Console, to support the new default protocol used by the RSCD Agent. The Network Shell is normally upgraded together with the BMC Server Automation Console.

If you want to override this default behavior — for example, if you want to limit all communication to TLS 1.2 with no option for use of earlier versions of the TLS protocol — perform the tasks described in Overriding default TLS communication settings.

Limitations of TLS version 1.2 communication

Support for TLS version 1.2 in BMC Server Automation has the following limitations:

  • Bare-metal provisioning (specifically the BMI binary) does not work if images are created with a pre-8.9.01 BMI with TLS version 1.2.
  • Use cases related to Active Directory (AD) or LDAP authentication and synchronization require an AD server or LDAP server that supports TLS version 1.2 connections.
    LDAP synchronization has not yet been fully tested for TLSv1.2-only connections.
  • For patch downloads, outbound HTTPS connections to HTTPS sites (such as RHN or Shavlik) require TLS version 1.2 support on the download site. If the connection goes through an HTTPS proxy, the proxy must also support TLS version 1.2.

Overriding default TLS communication settings

You might want to override the default TLS settings, typically to limit all communication to TLS version 1.2 with no backward compatibility. To do so, you must perform configuration tasks on both the agent side and the Application Server side:

  1. On the RSCD Agent, you configure TLS settings through the openssl.cnf file, as described in To configure TLS settings on the RSCD Agent.
  2. On the Application Server, you configure settings through the appserver-options.properties file, as described in To configure TLS settings on the Application Server.

To configure TLS settings on the RSCD Agent

  1. On each agent host machine, locate the openssl.cnf file in the installDirectory/Share/ directory, and open it in any text editor.
  2. In the [rscd] section of this configuration file, set the value of the protocol parameter.
    To limit communication to TLS v1.2 only, set a value of tlsv1_2, as in the following example.
    An additional parameter in this section enables you to specify the cipher suite to be used in the handshake between the RSCD Agent and the Application Server or file server. You can usually keep the default value for the choice of cipher suite.

    [rscd]
    # possible values forprotocol: tls, tlsv1, tlsv1_1 and tlsv1_2
    protocol = tlsv1_2
    openssl_ciphers = AES256-SHA:DES-CBC3-SHA
  3. Save the openssl.cnf file.

  4. Restart the RSCD Agent for the changes in the configuration file to take effect.

To configure TLS settings on the Application Server

  1. For each Application Server deployment, locate the appserver-options.properties file in <installDirectory>/br/deployments/<deploymentName>/options/, and open it for editing.

  2. Set values for the following properties:

    PropertyDescription
    EnabledSecureProtocols

    Comma-separated list of protocols enabled for listening to requests from the Console and from Web Services, as well as for connections that involve an NSH proxy.

    Default: TLSv1,TLSv1.2

    If you want to use TLSv1.2 only, change the value to TLSv1.2.

    EnabledPkiProtocols

    Protocol for PKI authentication. Enter a single value.

    Default: TLSv1

    If you want to use TLSv1.2, change the value to TLSv1.2.

    EnabledRscdProtocols

    Comma-separated list of protocols enabled for communication with RSCD agents.

    Default: TLSv1,TLSv1.2

    If you want to use TLSv1.2 only, change the value to TLSv1.2. TLSv1.2 communication works only on agents of version 8.9.01 or later.

    EnabledAppserverClientProtocols

    Comma-separated list of protocols enabled for use by the Application Server for external connection as an SSL client.

    Default: TLSv1,TLSv1.2

    If you want to use TLSv1.2 only, change the value to TLSv1.2.

    EnabledTlsContextProtocol

    Protocol used for initiating TLS Context during integration with external systems. Enter a single value.

    Default: TLSv1

    If you want to use TLSv1.2, change the value to TLSv1.2.

    JVMArgs

    Custom JVM arguments for the BMC Server Automation Application Server.

    For the defaults to be used, ensure that the following protocol arguments are NOT included in the JVMArgs property value:

    • -Dhttps.protocols
    • -Djdk.tls.client.protocols
  3. Save the properties file.
  4. Restart the Application Server.

Was this page helpful? Yes No Submitting... Thank you

Comments