This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.
BMC Client Management
Any version of BCM >= 12.6
Is possible to force SSL communications to TLS 1.2 for inter agent communications?
This is available from 12.6 onward. If this is a fresh install then section 1 should be skipped, the only part that matters in this situation is to set the agents to use TLS 1.2 right away.
This does not apply to setting SSL between the master and its database. For this, check the following KA instead: Client Management: I forced TLS 1.2 communication on my server but then BCM cannot communicate with the SQL Server Database.
Warning: This should be tested on a couple of devices before going live. It is very important to go step by step as if this is enforced on the master and relays before the new configuration has been pushed to all (at least most) of the devices, the children will not be able to communicate with their parent anymore.
A- Reconfigure the existing agents
This manual procedure helps set it up quickly on some devices, as a POC:
- edit the file ../config/mtxagent.ini in the agent installation folder
- set "SSLProtocols=" to "SSLProtocols=TLS1.2" in the section "Security" of this file
- restart the service of the agent
Check if the client is actually capable of synchronizing with its parent after this change: open the file ../log/mtxagent.log after having restarted the service (wait for 2 minutes or so) and filter the log for the keyword "Synchronized". If it is found then it should be fine.
By operational rules:
1- Deploy the new configuration to clients only:
The easiest way to proceed is to us the step "Update ini file".
1.2 - Add the step "Update ini file"
- Do not check "Create if it does not exist". If it doesn't exist it means this has been set to the wrong path, or that there is a problem on the target system agent as an example. If it's uncheck and that the operational rule module doesn't find the file, then the rule will fail, which will make it easier to spot the issue.
- This applies to Windows. If linux, then the path must be set to ../etc/mtxagent.ini instead in the field "File Name"
1.3 - Add the step "Restart Agent"
The agent will have to be restarted right away, else the configuration will not be taken into account, and might even be lost because the file would be overwritten by the configuration file saving mechanism.
1.4 - Test the OR
Assign it to a couple of clients first. Make sure they still connect to their parent, can be assigned to an operational rule, Direct Accessed/ taken control etc.
1.5 - Schedule the OR
- assign it to one or more device groups containing all the clients and relays
- when asked, do not accept to use the schedule by default
- edit the schedule of the assignment to set the execution time to occur at a specific time in the future. This should be long enough to have the maximum devices to have been assigned to the operational rule.
1.6 Wait for propagation
Wait until (almost) all the devices that are supposed to connect frequently are updated with this operational rule.
It could be interesting to add a step first that checks if the parameter is already set properly and that will mark the operational rule as successful if it is. This will avoid useless execution of the operational rule.
2- Update the master:
Once all relays have been updated, updated the configuration of the master manually, as described in the section "Manually", at the top of this KA.
B- Update the rollout configurations
- select the rollout configuration in Global Settings > Rollouts
- go to Agent Configuration > Module Configuration > Security and set "Enabled SSL protocols" to "TLS 1.2", e.g:
- select the rollout servers assigned to this Rollout then go to the tab "Assigned Schedule" and click on "Generate Package:
To configure TLS 1.2 only communications with the database server then follow this KA: Client Management: I forced TLS 1.2 communication on my server but then BCM cannot communicate with the SQL Server Database