Client Management: I forced TLS 1.2 communication on my server but then BCM can not communicate with the SQL Server Database

Version 1
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    BMC Client Management


    COMPONENT:

    Client Management


    APPLIES TO:

    All BMC Client Management (BCM) versions



    PROBLEM:

    Since other types of communications than TLS 1.2 are blocked on my network the master doesn't communicate with the master anymore.

    How can I setup the BCM Master to communicate with its database server through TLS 1.2?


    CAUSE:

    BCM internal SQL Driver does not handle TLS 1.2 yet


    SOLUTION:

    In order to allow the BCM Master to communicate with the SQL Server Database: :

    1- Verify that the current SQL driver on the master supports TLS 1.2 only
    SQL Server version 13 and onward drivers correctly handle TLS 1.2 only, if "ODBC Driver 13 for SQL Server" is already available as a choice to create an ODBC connector, this is good to go, e.g:

    User-added image

    If an older version is installed then download Microsoft® ODBC Driver 17 for SQL Server® from here, as an example, and install it on the BMC Client Management Master system.

    The version of the SQL Server Database must be compatible as well. Make sure it runs version 13 at the minimum.


    2- Update the configuration
    To modify BMC Client Management configuration there are two possibilities, depending on the current settings in C:\Program Files\BMC Software\Client Management\Master\config\Vision64Database.ini":

    A- DatabaseType=odbcdirect
    If in ..\Master\config\Vision64Database.ini "DatabaseType=" is set to "DatabaseType=odbcdirect", then:
    - Edit ..\Master\config\Vision64Database.ini file in order to replace current driver name with new driver name:
    This:

      DatabaseName=Driver={SQL Server};Server=MyServer;Database=MyDatabase 
      
    - Replace "{SQL Server}" by the highest version of the SQL Server Database connector installed on the master, e.g:  
      DatabaseName=Driver={ODBC Driver 13 for SQL Server};Server=MyServer;Database=MyDatabase 
      
      or 
      
      DatabaseName=Driver={ODBC Driver 17 for SQL Server};Server=MyServer;Database=MyDatabase 
      
    - Restart the service of the agent on the master 


    B- DatabaseType=ODBC 
    If in ..\Master\config\Vision64Database.ini "DatabaseType=" is set to "DatabaseType=ODBC", then: 

    1 - In this situation a System DSN has to be recreated or updated in order to use the ODBC Driver 13+ for SQL Server that is installed on the master: 

    User-added image
    - Set the name for the System DSN: 

    User-added image
    The name doesn't matter but if set to something than on this screenshot, the name will need to be reported in Vision64database.ini in the next steps. 

    The Database Server information, such as in "Database Name" and "User Name" can be retrieved from Vision64Database.ini, respectively the "DatabaseName=" and "User=" parameters. 

    Be sure to set the same identification method as for the Database (default mode is SQL Server Authentication). In this example, the login is 'sa' but the default one is 'bcmdbuser': 

    User-added image

    Be sure to change default database to the current BCM database (default one id 'bcmdb') 

    User-added image

    Then use default parameters: 

    User-added image

    And finally verify that the new connection is working: 

    User-added image

    2- If a new DSN was created then "C:\Program Files\BMC Software\Client Management\Master\config\Vision64Database.ini" has to modified in order to use the new ODBC system DSN: 
    - first backup the current Vision64Database.ini 
    - update the file Vision64Database.ini as following :  
      DatabaseType=ODBC  
    DatabaseName=bcmdb17      
      
      Where 'bcmdb17' must be replaced with the name that was set into the new ODBC system DSN (third screenshot from the top) 
    - save this file 
    - restart BMC Client Management Master service. 


    Note: 
    At the time of writing of this KA, the following registry keys had to be set to only enable TLS 1.2 on the system itself:  
     
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]  
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]  
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]  
    "DisabledByDefault"=dword:00000001  
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]  
    "Enabled"=dword:00000000  
    "DisabledByDefault"=dword:00000001  
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]  
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]  
    "Enabled"=dword:00000000  
    "DisabledByDefault"=dword:00000001  
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]  
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]  
    "Enabled"=dword:00000000  
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]  
    "Enabled"=dword:00000000  
    "DisabledByDefault"=dword:00000001  
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]  
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]  
    "DisabledByDefault"=dword:00000000 

     


    Article Number:

    000166431


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles