Client Management: How to force TLS 1.2 for communications

Version 7
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    BMC Client Management


    COMPONENT:

    Client Management


    APPLIES TO:

    Any version of BCM >= 12.6



    QUESTION:

    Is possible to force SSL communications to TLS 1.2 for inter agent communications?


    ANSWER:

    This is available from 12.6 onward. If this is a fresh install then section 1 should be skipped, the only part that matters in this situation is to set the agents to use TLS 1.2 right away.

    This does not apply to setting SSL between the master and its database. For this, check the following KA instead: Client Management: I forced TLS 1.2 communication on my server but then BCM cannot communicate with the SQL Server Database.

    Warning: This should be tested on a couple of devices before going live. It is very important to go step by step as if this is enforced on the master and relays before the new configuration has been pushed to all (at least most) of the devices, the children will not be able to communicate with their parent anymore.


    A- Reconfigure the existing agents

    Manually:

    This manual procedure helps set it up quickly on some devices, as a POC:
    - edit the file ../config/mtxagent.ini in the agent installation folder
    - set "SSLProtocols=" to "SSLProtocols=TLS1.2" in the section "Security" of this file
    - restart the service of the agent

    Check if the client is actually capable of synchronizing with its parent after this change: open the file ../log/mtxagent.log after having restarted the service (wait for 2 minutes or so) and filter the log for the keyword "Synchronized". If it is found then it should be fine.


    By operational rules:

    1- Deploy the new configuration to clients only:
    The easiest way to proceed is to us the step "Update ini file".

     

      1.1 - Create an Operational Rule (OR)

    1.2 - Add the step "Update ini file"

    User-added image

    Notes:
    - Do not check "Create if it does not exist". If it doesn't exist it means this has been set to the wrong path, or that there is a problem on the target system agent as an example. If it's uncheck and that the operational rule module doesn't find the file, then the rule will fail, which will make it easier to spot the issue.
    - This applies to Windows. If linux, then the path must be set to ../etc/mtxagent.ini instead in the field "File Name"

    1.3 - Add the step "Restart Agent"
    The agent will have to be restarted right away, else the configuration will not be taken into account, and might even be lost because the file would be overwritten by the configuration file saving mechanism.

    1.4 - Test the OR
    Assign it to a couple of clients first. Make sure they still connect to their parent, can be assigned to an operational rule, Direct Accessed/ taken control etc.

    1.5 - Schedule the OR
    Clients:
    - assign it to one or more device groups containing all the clients and relays
    - when asked, do not accept to use the schedule by default
    - edit the schedule of the assignment to set the execution time to occur at a specific time in the future. This should be long enough to have the maximum devices to have been assigned to the operational rule.

    1.6 Wait for propagation
    Wait until (almost) all the devices that are supposed to connect frequently are updated with this operational rule.
      
     
      Note:
    It could be interesting to add a step first that checks if the parameter is already set properly and that will mark the operational rule as successful if it is. This will avoid useless execution of the operational rule.
     
     
      2- Update the master:
    Once all relays have been updated, updated the configuration of the master manually, as described in the section "Manually", at the top of this KA.
     
      
      
     
    B- Update the rollout configurations  
      
      
      Rollout configurations for clients must be updated right away, else the rollout servers will keep installing devices that will not be able to connect to their parent once they'll have enabled TLS 1.2 only, e.g:
    - select the rollout configuration in Global Settings > Rollouts
    - go to Agent Configuration > Module Configuration > Security and set "Enabled SSL protocols" to "TLS 1.2", e.g:

    User-added image

    - select the rollout servers assigned to this Rollout then go to the tab "Assigned Schedule" and click on "Generate Package:

    User-added image
     
     
     
    Note:  
    To configure TLS 1.2 only communications with the database server then follow this KA:    Client Management: I forced TLS 1.2 communication on my server but then BCM cannot communicate with the SQL Server Database

     


    Article Number:

    000158322


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles