Client Management: How to force TLS 1.2 for inter agent communications

Knowledge Article

Article Number

000216203

Old Article Number

000158322

Article Type

FAQ/Procedural

Title

Client Management: How to force TLS 1.2 for inter agent communications

Summary

It is possible to limit SSL to TLS 1.2 only: enable "SSLProtocols=TLS1.2" into the devices mtxagent.ini or in the sub-node Security of the agents, or upgrade to 20.08 onward.

Product

BMC Client Management

Component

Client Management

Applies to

Any version of BCM >= 12.6 but the behavior changes in 20.08 and onwards

Question

Is it possible to force SSL communications to TLS 1.2 for inter agent communications?

Answer

This has been implemented in 12.6 and onwards. As TLS 1.2 is enforced by default in 20.08 it is recommended to upgrade to it or to its following version instead of bothering with the following procedure, section 2.

This does not apply for setting SSL between the master and its database. For this, check the following KA instead: Client Management: I forced TLS 1.2 communication on my server but then BCM cannot communicate with the SQL Server Database.

1- 20.08 and onward:

If nothing is set in the field "Enable SSL Protocols" in the agent Agent Configuration > Security sub-node then TLS 1.2 is used by this agent:

User-added image

This can also be checked in the device ../config/mtxagent.ini, SSLProtocols=.

2- From 12.6 to 12.9 included:

If this is a fresh install then section 1A should be skipped, the only part that matters in this situation is to set the agents to use TLS 1.2 right away.

Warning: This should be tested in a test environment before going live

A- Reconfigure the existing agents

A1- Manually:

This manual procedure helps set it up quickly on some devices, as a POC:

- edit the file ../config/mtxagent.ini in the agent installation folder
- set "SSLProtocols=" to "SSLProtocols=TLS1.2" in the section "Security" of this file
- restart the service of the agent

Check if the client is actually capable of synchronizing with its parent after this change: open the file ../log/mtxagent.log after having restarted the service (wait for 2 minutes or so) and filter the log for the keyword "Synchronized". If it is found then it should be fine.

A2- By operational rules:

1- Deploy the new configuration to clients only:
The easiest way to proceed is to us the step "Update ini file".

1.1 - Create an Operational Rule (OR)

1.2 - Add the step "Update ini file"

Notes:
- Do not check "Create if it does not exist". If it doesn't exist it means this has been set to the wrong path, or that there is a problem on the target system agent as an example. If it's uncheck and that the operational rule module doesn't find the file, then the rule will fail, which will make it easier to spot the issue.
- This applies to Windows. If linux, then the path must be set to ../etc/mtxagent.ini instead in the field "File Name"

1.3 - Add the step "Restart Agent"
The agent will have to be restarted right away, else the configuration will not be taken into account, and might even be lost because the file would be overwritten by the configuration file saving mechanism.

1.4 - Test the OR
Assign it to a couple of clients first. Make sure, they still connect to their parent, can be assigned to an operational rule, Direct Accessed/ taken control etc.

1.5 - Schedule the OR
Clients:
- assign it to one or more device groups containing all the clients and relays
- when asked, do not accept to use the schedule by default
- edit the schedule of the assignment to set the execution time to occur at a specific time in the future. This should be long enough to have the maximum devices to have been assigned to the operational rule.

1.6 Wait for propagation
Wait until (almost) all the devices that are supposed to connect frequently are updated with this operational rule.

Note:
A step can be added to check if the parameter is already set properly and that will mark the operational rule as successful if it is. This will avoid useless execution of the operational rule.

3- Update the relay(s) if any
Once all or most clients have been updated, update their configuration manually or use the same operational rule than to upgrade the clients.

4- Update the master
Once all relays have been updated, update the configuration of the master manually, as described in the section "Manually", at the top of this KA.

B- Update the rollout configurations

Rollout configurations for clients must be updated right away, else the rollout servers will keep installing devices that will not be able to connect to their parent once they'll have enabled TLS 1.2 only, e.g.:

- Select the rollout configuration in Global Settings > Rollouts
- Go to Agent Configuration > Module Configuration > Security and set "Enabled SSL protocols" to "TLS 1.2", e.g.:

- Select the rollout servers assigned to this Rollout then go to the tab "Assigned Schedule" and click on "Generate Package:

Attachment(s):