7018652: Enabling SAM 8.0 to communicate using only TLS 1.2

This document (7018652) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Sentinel Agent Manager 8.0

Situation

After configuring Sentinel to be PCI compliant SAM to Sentinel communication stops working.

Resolution

Following steps need to be followed to ensure that communication works properly between SAM and Sentinel after enabling PCI compliance on Sentinel:
1. Ensure that appropriate SQL Server patches that have support for TLS 1.2 are applied to the SAM database server. Refer https://support.microsoft.com/en-us/help/3135244/tls-1.2-support-for-microsoft-sql-server to figure out whether your version of SQL Server needs a patch.
2. Ensure that appropriate Windows hotfix (depending upon OS) have been applied to SAM Central Computer machine. Refer to “Additional fixes needed for SQL Server to use TLS 1.2” section of https://support.microsoft.com/en-us/help/3135244/tls-1.2-support-for-microsoft-sql-server to get the hotfix.
3. After applying the hotfix, following registry entries need to be set so that the TLS version supported by the OS can be used for communication.
For 64-bit operating systems,
[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv2.0.50727]
“SystemDefaultTlsVersions”=dword:00000001
[HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoft.NETFrameworkv2.0.50727]
“SystemDefaultTlsVersions”=dword:00000001
For 32-bit operating systems,
[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv2.0.50727]
“SystemDefaultTlsVersions”=dword:00000001
*The steps for updating registry are already available at the above link if needed for reference.
4. Finally to enable the TLS1.2 communication, the following registry entries need to be created.
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client] “DisabledByDefault”=dword:00000000 “Enabled”=dword:00000001
5. Make sure to restart the system in order for the registry changes to take effect.
*******************************************************************************
IMPORTANT: Please note the following when the Sentinel Collector Manager (in which the Agent Manager Connector is deployed) is running in FIPS mode:
If the SAM Central Computer is also FIPS enabled:
————————————————–
* Only step #1 must be performed i.e only the SQL Server needs to be patched.
* OS level patches and registry changes are not required in the Central Computer.
If the SAM Central computer is not FIPS enabled:
————————————————-
* All the above steps must be performed, but with a modification in step #4 – Registry entries must be created for TLS 1.1 instead of TLS 1.2.
* And if TLS 1.2 is enabled, it must be disabled.
*******************************************************************************

Cause

When the Sentinel Server is PCI compliant the SAM (Sentinel agent manager) server cannot communicate with it. PCI compliancy disables SSLv3 and TLSv1.0 on the Sentinel server, which are part of the cipher suites needed for proper communication. In order for SAM to successfully communicate with Sentinel and for Sentinel to remain PCI compliant TLSv1.2 must be enabled on the SAM box.

Please keep in mind that all of the protocol restrictions are handled at the OS/SQL level, so each environment has a choice of what is allowed/disallowed.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

Leave a Reply