Important

   

This space contains documentation for TrueSight Server Automation 8.9.03 and the later service packs for 8.9. For earlier releases, see BMC Server Automation 8.9.

Configuring use of TLS version 1.2


Beginning with version 8.9.01 of TrueSight Server Automation, version 1.2 of the Transport Layer Security (TLS) protocol is supported for session layer security across the various communications legs between TrueSight Server Automation components.

This topic discusses the defaults and limitations of TLS 1.2 support, as well as how to override the default behavior.

Default behavior of TLS communication

Beginning with version 8.9.01 of TrueSight Server Automation, TLS version 1.2 is the default protocol for communication between the Application Servers and the RSCD Agents. However, earlier versions of TLS are supported, for backward compatibility, in certain cases.

TLS communication between the Application Servers and the RSCD Agents has the following default behavior, depending on the versions of the RSCD Agents:

  • All newly enrolled agents of version 8.9.01 use TLS version 1.2
  • After upgrading agents to 8.9.01, existing SSL sessions continue with the current TLS version until the SSL session expires (typically 24 hours after the connection was established), at which time communication is updated to TLS version 1.2.

  • Communication with agents of earlier versions (<8.9.01) continues with the existing default of TLS version 1.

Note

In the case of an upgrade to 8.9.01, ensure that the Network Shell component is upgraded to version 8.9.01 on the computer that hosts the TrueSight Server Automation Console, to support the new default protocol used by the RSCD Agent. The Network Shell is normally upgraded together with the TrueSight Server Automation Console.

If you want to override this default behavior — for example, if you want to limit all communication to TLS 1.2 with no option for use of earlier versions of the TLS protocol — perform the tasks described in Overriding default TLS communication settings.

Limitations of TLS version 1.2 communication

Support for TLS version 1.2 in TrueSight Server Automation has the following limitations:

  • Bare-metal provisioning (specifically the BMI binary) does not work if images are created with a pre-8.9.01 BMI with TLS version 1.2.
  • Use cases related to Active Directory (AD) or LDAP authentication and synchronization require an AD server or LDAP server that supports TLS version 1.2 connections.
    LDAP synchronization has not yet been fully tested for TLSv1.2-only connections.
  • For patch downloads, outbound HTTPS connections to HTTPS sites (such as RHN or Shavlik) require TLS version 1.2 support on the download site. If the connection goes through an HTTPS proxy, the proxy must also support TLS version 1.2.

Overriding default TLS communication settings

You might want to override the default TLS settings, typically to limit all communication to TLS version 1.2 with no backward compatibility. To do so, you must perform configuration tasks on both the agent side and the Application Server side:

  1. On the RSCD Agent, you configure TLS settings through the openssl.cnf file, as described in To configure TLS settings on the RSCD Agent.
  2. On the Application Server, you configure settings through the appserver-options.properties file, as described in To configure TLS settings on the Application Server.

To configure TLS settings on the RSCD Agent

  1. On each agent host machine, locate the openssl.cnf file in the installDirectory/Share/ directory, and open it in any text editor.
  2. In the [rscd] section of this configuration file, set the value of the protocol parameter.
    To limit communication to TLS v1.2 only, set a value of tlsv1_2, as in the following example.
    An additional parameter in this section enables you to specify the cipher suite to be used in the handshake between the RSCD Agent and the Application Server or file server. You can usually keep the default value for the choice of cipher suite.

    [rscd]
    # possible values forprotocol: tls, tlsv1, tlsv1_1 and tlsv1_2
    protocol = tlsv1_2
    openssl_ciphers = AES256-SHA:DES-CBC3-SHA

    The following table describes the supported ciphers and the value to be specified to use them:

    Cipher nameValue to be specified for the openssl_ciphers parameter
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384AES256-GCM-SHA384
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

    AES128-GCM-SHA256

    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

    AES128-SHA256

    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

    AES128-SHA256
    TLS_RSA_WITH_AES_256_CBC_SHAAES256-SHA
    SSL_RSA_WITH_3DES_EDE_CBC_SHADES-CBC3-SHA

    To use multiple ciphers, specify the cipher names separated by a colon (:).

  3. Save the openssl.cnf file.

  4. Restart the RSCD Agent for the changes in the configuration file to take effect.

To configure TLS settings on the Application Server

  1. For each Application Server deployment, locate the appserver-options.properties file in <installDirectory>/br/deployments/<deploymentName>/options/, and open it for editing.

  2. Set values for the following properties:

    PropertyDescription
    EnabledSecureProtocols

    Comma-separated list of protocols enabled for listening to requests from the Console and from Web Services, as well as for connections that involve an NSH proxy.

    Default: TLSv1,TLSv1.2

    If you want to use TLSv1.2 only, change the value to TLSv1.2.

    EnabledPkiProtocols

    Protocol for PKI authentication. Enter a single value.

    Default: TLSv1

    If you want to use TLSv1.2, change the value to TLSv1.2.

    EnabledRscdProtocols

    Comma-separated list of protocols enabled for communication with RSCD agents.

    Default: TLSv1,TLSv1.2

    If you want to use TLSv1.2 only, change the value to TLSv1.2. TLSv1.2 communication works only on agents of version 8.9.01 or later.

    EnabledAppserverClientProtocols

    Comma-separated list of protocols enabled for use by the Application Server for external connection as an SSL client.

    Default: TLSv1,TLSv1.2

    If you want to use TLSv1.2 only, change the value to TLSv1.2.

    EnabledTlsContextProtocol

    Protocol used for initiating TLS Context during integration with external systems. Enter a single value.

    Default: TLSv1

    If you want to use TLSv1.2, change the value to TLSv1.2.

    JVMArgs

    Custom JVM arguments for the TrueSight Server Automation Application Server.

    For the defaults to be used, ensure that the following protocol arguments are NOT included in the JVMArgs property value:

    • -Dhttps.protocols
    • -Djdk.tls.client.protocols
    EnabledCipherSuitesA comma-separated list of cipher names. For information about the supported ciphers, see Session layer security.
    EnabledCipherSuitesForWebservicesA comma-separated list of cipher names. For information about the supported ciphers, see Session layer security.
  3. Save the properties file.
  4. Restart the Application Server.
Was this page helpful? Yes No Submitting... Thank you

Comments