IT Management Suite

Hi Experts,
I was wondering if the changes made in Microsoft Windows OS to stop using TLS 1.0 and 1.1 is something that we need to take any active action in the ITMS?
what is the procedure required to update and enable TLS 1.2 / 1.3 on the console / site servers, if there is such a use case?

tnx,
Hagai

Hi Hagai!

There is a KB about TLS for ITMS:
https://knowledge.broadcom.com/external/article/170734/enabling-tls-12-for-the-itms-management.html

On CEM Gateway server, CEM Gateway manager UI will show which TLS is enabled in System
For example now it shows that all available TLS versions are available and can be used. If only TLS 1.3 is enabled, then UI will show only TLS 1.3

For Agent and Site Servers communication profiles, you can disable unnecessary TLS versions

and check TLS settings for Site Server profiles

Best regards,
IP.

------------------------------
[JobTitle]
[CompanyName]
[State]
------------------------------

Original Message:
Sent: Nov 14, 2022 04:08 AM
From: Hagai Nachmani
Subject: TLS 1.0 / 1.1 deprecated

Hi Experts,
I was wondering if the changes made in Microsoft Windows OS to stop using TLS 1.0 and 1.1 is something that we need to take any active action in the ITMS?
what is the procedure required to update and enable TLS 1.2 / 1.3 on the console / site servers, if there is such a use case?

tnx,
Hagai

Thank you Igor, i will test and see if this works for us.

by the way, if anybody chooses only a specific TLS version and prefer one version over the other, does it matters or impacts the ITMS environment in any way?

tnx,
Hagai
Original Message:
Sent: Nov 14, 2022 04:37 AM
From: Igor Perevozchikov
Subject: TLS 1.0 / 1.1 deprecated

Hi Hagai!

There is a KB about TLS for ITMS:
https://knowledge.broadcom.com/external/article/170734/enabling-tls-12-for-the-itms-management.html

On CEM Gateway server, CEM Gateway manager UI will show which TLS is enabled in System
For example now it shows that all available TLS versions are available and can be used. If only TLS 1.3 is enabled, then UI will show only TLS 1.3

For Agent and Site Servers communication profiles, you can disable unnecessary TLS versions

and check TLS settings for Site Server profiles

Best regards,
IP.

------------------------------
[JobTitle]
[CompanyName]
[State]

Original Message:
Sent: Nov 14, 2022 04:08 AM
From: Hagai Nachmani
Subject: TLS 1.0 / 1.1 deprecated

Hi Experts,
I was wondering if the changes made in Microsoft Windows OS to stop using TLS 1.0 and 1.1 is something that we need to take any active action in the ITMS?
what is the procedure required to update and enable TLS 1.2 / 1.3 on the console / site servers, if there is such a use case?

tnx,
Hagai

After you configure TLS 1.2+, you might start having issues where jobs/tasks are assigned in the console but there is a delay before the tasks actually go out to clients, even though the agents are registered with a task server and have run other tasks successfully.

If you see a status of 'Queued' every time you assign a job/task in the console, be sure to configure the registry on all of your task servers (including your SMP server) as per the second part of KB 170734, to force .NET to use TLS 1.2 or higher.  (These registry changes are also recommended in KB 215999, because they also solve a problem with Ghost imaging failing in a TLS 1.2-only environment.)  Specifically:

Note:  you may need to reboot your servers for the changes to go into effect.  

Hope this is helpful!

------------------------------
Sherri Nichols
Cyber Security Engineer at NetX Information Systems, Inc.
------------------------------

Original Message:
Sent: Nov 14, 2022 04:08 AM
From: Hagai Nachmani
Subject: TLS 1.0 / 1.1 deprecated

Hi Experts,
I was wondering if the changes made in Microsoft Windows OS to stop using TLS 1.0 and 1.1 is something that we need to take any active action in the ITMS?
what is the procedure required to update and enable TLS 1.2 / 1.3 on the console / site servers, if there is such a use case?

tnx,
Hagai

Thank you Sherri,
I will take this and check if relevant to us.

Appreciate the input.

Tnx,
Hagai
---------------------------------------------------------------------
A member of the Intel Corporation group of companies

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.


Original Message:
Sent: 11/17/2022 9:27:00 AM
From: Sherri Nichols
Subject: RE: TLS 1.0 / 1.1 deprecated

After you configure TLS 1.2+, you might start having issues where jobs/tasks are assigned in the console but there is a delay before the tasks actually go out to clients, even though the agents are registered with a task server and have run other tasks successfully.

If you see a status of 'Queued' every time you assign a job/task in the console, be sure to configure the registry on all of your task servers (including your SMP server) as per the second part of KB 170734, to force .NET to use TLS 1.2 or higher.  (These registry changes are also recommended in KB 215999, because they also solve a problem with Ghost imaging failing in a TLS 1.2-only environment.)  Specifically:

1. Add (or modify if these already exists) the following registry keys with the specified values:
   
     [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
       "SystemDefaultTlsVersions"=dword:00000001
       "SchUseStrongCrypto"=dword:00000001

       [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
       "SystemDefaultTlsVersions"=dword:00000001
       "SchUseStrongCrypto"=dword:00000001

       [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
       "SystemDefaultTlsVersions"=dword:00000001
       "SchUseStrongCrypto"=dword:00000001

       [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
       "SystemDefaultTlsVersions"=dword:00000001
       "SchUseStrongCrypto"=dword:00000001

Note:  you may need to reboot your servers for the changes to go into effect.  

Hope this is helpful!

------------------------------
Sherri Nichols
Cyber Security Engineer at NetX Information Systems, Inc.
------------------------------

Original Message:
Sent: Nov 14, 2022 04:08 AM
From: Hagai Nachmani
Subject: TLS 1.0 / 1.1 deprecated

Hi Experts,
I was wondering if the changes made in Microsoft Windows OS to stop using TLS 1.0 and 1.1 is something that we need to take any active action in the ITMS?
what is the procedure required to update and enable TLS 1.2 / 1.3 on the console / site servers, if there is such a use case?

tnx,
Hagai