Configuring the TLS protocol

From version 8.9.01 of TrueSight Server Automation, version 1.2 of the Transport Layer Security (TLS) protocol is supported for session layer security across the various communications legs between TrueSight Server Automation components.

This topic describes the default settings and limitations of TLS 1.2 support and how to override the default behavior.

• Default behavior of TLS communication
• Limitations of TLS version 1.2 communication
• Overriding the default TLS communication settings

Default behavior of TLS communication

From version 8.9.01 of TrueSight Server Automation, TLS 1.2 is the default protocol for communication between the Application Servers and RSCD Agents. However, earlier versions of TLS are supported for backward compatibility in certain cases.

TLS communication between the Application Servers and RSCD Agents has the following default behavior, depending on the versions of RSCD Agents:

• After upgrading agents to 8.9.01 or later versions, existing SSL sessions continue with the current TLS version until the SSL session expires (typically 24 hours after the connection was established), at which time communication is updated to TLS 1.2.
• NEW IN 20.02.01 After you install the RSCD Agent 20.02.01, TLS 1.2 is set as the default protocol.
• NEW IN 20.02.01 When you upgrade the RSCD Agent to version 20.02.01, the existing TLS configuration settings are retained after the upgrade.
• NEW IN 20.02.01 When you add an additional Application Server, the server is configured with the same TLS settings as that of the Application Server that is connected to the TrueSight Server Automation console.
• NEW IN 20.02.01 On a Debian system, when you upgrade the RSCD Agent to version 20.02.01 using the native installer, the TLS settings are updated to tlsv1 and tlsv_1.2. 
• NEW IN 20.02.01 If you want to change the value of the OpenSSL protocol to tlsv_1.2 during the upgrade, use the following parameter while upgrading the Agent: UPDATE_OPENSSL_PROTOCOL=1
  
  • (Windows) Add this parameter in the following command: RSCD.msi UPDATE_OPENSSL_PROTOCOL=1
    For more information about upgrading the Agent, see Silently-upgrading-Windows-agents.
  • (Linux) Add this parameter in the /tmp/nsh-install-defaults file. For information about configuring the nsh-install-defaults file, see Configuring-the-installation-parameters-for-the-NSH-or-the-RSCD-agent.
• For an upgrade, we can detect the configuration of one of the existing node and we can apply a similar configuration on the newly added node. 
• Communication with agents of earlier versions (8.9.01 or earlier) can continue with the existing TLS version 1. However, you must configure the TLS settings on the Application Server accordingly. For more information, see Configuring the TLS settings on the Application Server.

If you want to override this default behavior — for example, if you want to limit all communication to TLS 1.2 with no option for use of earlier versions of the TLS protocol — perform the tasks described in Overriding default TLS communication settings.

Limitations of TLS version 1.2 communication

Support for TLS version 1.2 in TrueSight Server Automation has the following limitations:

• Bare-metal provisioning (specifically the BMI binary) does not work if images are created with a pre-8.9.01 BMI with TLS version 1.2.
• Use cases related to Active Directory (AD) or LDAP authentication and synchronization require an AD server or LDAP server that supports TLS version 1.2 connections.
  LDAP synchronization has not yet been fully tested for TLSv1.2-only connections.
• For patch downloads, outbound HTTPS connections to HTTPS sites (such as RHN or Shavlik) require TLS version 1.2 support on the download site. If the connection goes through an HTTPS proxy, the proxy must also support TLS version 1.2.

Overriding the default TLS communication settings

You might want to override the default TLS settings, typically to limit all communication to TLS version 1.2 with no backward compatibility. To do so, you must perform configuration tasks on both the agent side and the Application Server side:

1. On the RSCD Agent, you configure TLS settings through the openssl.cnf file, as described in To configure TLS settings on the RSCD Agent.
2. On the Application Server, you configure settings through the appserver-options.properties file, as described in To configure TLS settings on the Application Server.

To configure TLS settings on the RSCD Agent

1. On each agent host, locate the openssl.cnf file in the installDirectory/Share/ directory, and open it in any text editor.

2. In the [rscd] section of this configuration file, set the value of the protocol parameter.
   To limit communication to TLS v1.2 only, set a value of tlsv1_2, as in the following example.
   An additional parameter in this section enables you to specify the cipher suite to be used in the handshake between the RSCD Agent and the Application Server or file server. You can usually keep the default value for the choice of cipher suite.

   [rscd]
   # possible values forprotocol: tls, tlsv1, tlsv1_1 and tlsv1_2
   protocol = tlsv1_2
   openssl_ciphers = AES256-SHA:DES-CBC3-SHA

   The following table describes the supported ciphers and the value to be specified to use them:

   Cipher name	Value to be specified for the openssl_ciphers parameter
   TLS_RSA_WITH_AES_128_CBC_SHA256	AES128-SHA256
   TLS_RSA_WITH_AES_256_GCM_SHA384	AES256-GCM-SHA384
   TLS_RSA_WITH_AES_128_GCM_SHA256	AES128-GCM-SHA256
   TLS_RSA_WITH_AES_256_CBC_SHA256	AES256-SHA256

   To use multiple ciphers, specify the cipher names separated by a colon (:).

3. Save the openssl.cnf file.
4. Restart the RSCD Agent for the changes in the configuration file to take effect.

To configure TLS settings on the Application Server

1. For each Application Server deployment, locate the appserver-options.properties file in <installDirectory>/br/deployments/<deploymentName>/options/, and open it for editing.

2. Set values for the following properties:

   Property	Description
   EnabledSecureProtocols	Comma-separated list of protocols enabled for listening to requests from the Console and from Web Services, as well as for connections that involve an NSH proxy. Default: TLSv1.2 If you want to use both TLSV1 and TLSv1.2, change the value to TLSv1, TLSv1.2.
   EnabledPkiProtocols	Protocol for PKI authentication. Enter a single value. Default: TLSv1 Java support for PKCS11 does not work when TLSv1.2 is used.
   EnabledRscdProtocols	Comma-separated list of protocols enabled for communication with RSCD agents. Default: {{code language="none"}} TLSv1.2 {{/code}}
   EnabledAppserverClientProtocols	Comma-separated list of protocols enabled for use by the Application Server for external connection as an SSL client. Default:{{code language="none"}}  TLSv1.2 {{/code}}
   EnabledTlsContextProtocol	Protocol used for initiating TLS Context during integration with external systems. Enter a single value. Default: {{code language="none"}} TLSv1.2 {{/code}}
   JVMArgs	Custom JVM arguments for the TrueSight Server Automation Application Server. For the defaults to be used, ensure that the following protocol arguments are NOT included in the JVMArgs property value: -Dhttps.protocols -Djdk.tls.client.protocols
   EnabledCipherSuites	A comma-separated list of cipher names. For information about the supported ciphers, see Session-layer-security.
   EnabledCipherSuitesForWebservices	A comma-separated list of cipher names. For information about the supported ciphers, see Session-layer-security.

3. Save the properties file.
4. Restart the Application Server.