Client Management: Master cannot communicate with the SQL Server Database when TLS 1.2 communication is forced on the Server.

Knowledge Article

Client Management: Master cannot communicate with the SQL Server Database when TLS 1.2 communication is forced on the Server.
This article deals with the situation when TLS 1.2 communication is forced and Master is not able to communicate with the SQL server.
BMC Client Management
Client Management
BMC Client Management (BCM) All versions

  1. How to set up the BCM Master to communicate with its database server through TLS 1.2?

  2. Since other types of communications than TLS 1.2 are blocked on the network the master doesn't communicate with the master anymore.
BCM internal SQL Driver does not handle TLS 1.2 yet

In order to allow the BCM Master to communicate with the SQL Server Database: :

1. Verify that the current SQL driver on the master supports TLS 1.2 only:

SQL Server version 13 and onward drivers correctly handle TLS 1.2 only, if "ODBC Driver 13 for SQL Server" is already available as a choice to create an ODBC connector, move to step 2.

User-added image

If an older version is installed then download Microsoft® ODBC Driver 17 for SQL Server® from here 64Bit and 32bit, as an example, and install it on the BMC Client Management Master system.

The version of the SQL Server Database must be compatible as well. Make sure it runs version 13 at the minimum.


2. Update the configuration:

To modify BMC Client Management configuration there are two possibilities, depending on the current settings in C:\Program Files\BMC Software\Client Management\Master\config\Vision64Database.ini" :

Method 1: To update the configuration in Vision64database.ini using new ODBC Direct Drivers.

If in ..\Master\config\Vision64Database.ini "DatabaseType=" is set to "DatabaseType=odbcdirect", then:

  1.  Edit ..\Master\config\Vision64Database.ini file in order to replace current driver name with new driver name: DatabaseName=Driver={SQL Server};Server=DBServer;Database=DatabaseName

     Replace "{SQL Server}" by the highest version of the SQL Server Database connector installed on the master, e.g:

DatabaseName=Driver={ODBC Driver 13 for SQL Server};Server=DBServer;Database=DatabaseName
OR 
DatabaseName=Driver={ODBC Driver 17 for SQL Server};Server=DBServer;Database=DatabaseName

        3. Restart the service of the agent on the master


Method 2: To update the configuration in Vision64database.ini by creating SystemDSN

If in ..\Master\config\Vision64Database.ini "DatabaseType=" is set to "DatabaseType=ODBC", then:

1. In this situation a System DSN has to be recreated or updated in order to use the ODBC Driver 13+ for SQL Server that is installed on the master:

User-added image
Set the name for the System DSN:

User-added image

The name doesn't really matter but in case something different than the current BCM database name or server name is set at this point then information has to be updated in BCM Vision64database.ini in the next steps.
Database Server information, such as in "Database Name" and "User Name" can be retrieved from Vision64Database.ini, respectively the "DatabaseName=" and "User=" parameters.

Note:  In case there is any specific port used for the master SQL server then the port must be mentioned in the data source string like this:

User-added image


Be sure to set the same identification method as for the Database (the default mode is SQL Server Authentication). In this example, the login is 'sa' but the default one is  'bcmdbuser' :

User-added image

Be sure to change the default database to the current BCM database (default one id 'bcmdb' )

User-added image

Then use default parameters:

User-added image

And finally, verify that the new connection is working:

User-added image

2.  If a new DSN was created then "C:\Program Files\BMC Software\Client Management\Master\config\Vision64Database.ini" has to be modified in order to use the new ODBC system DSN:
- first backup the current Vision64Database.ini
- update the file Vision64Database.ini as following :

DatabaseType=ODBC
DatabaseName=bcmdb17

Where 'bcmdb17' must be replaced with the name that was set into the new ODBC system DSN (third screenshot from the top)

- save this file
- restart BMC Client Management Master service.


Note:
At the time of writing of this KA, the following registry keys had to be set to only enable TLS 1.2 on the system itself:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
BMC Client Management
Client Management
BMC Client Management (BCM) All versions
BMC Client Management
Client Management
BMC Client Management (BCM) All versions
Attachment(s):