none
How to configure SCOM to use TLS 1.2 for Unix/Linux Client RRS feed

  • Question

  • Hello,

    we already changed our SCOM Environment and all Windows Clients to TLS 1.2 but Keep the Unix/Linux Resource Pool on TLS 1.0 (TLS 1.2 is already activated on the Management Servers of this Resource Pool)

     

    We now changed the OMIServer.conf file and add These lines:

    #NoSSLv2=true

    #NoSSLv3=true

    #sslciphersuite=HIGH:!DSS:!aNULL@STRENGTH

     

    But how can we disable TLSv1? we already try to just use NoTLSv1 but then the Omiserver wont restart... Unfortunately, I can’t find more then how to disable SSL2/3 but no Information about how to disable TLS

    Any Help would be appreciated... thank you

    Monday, May 13, 2019 9:46 AM

Answers

  • After many Hours of Investigation and 2 tickets with MS Support we figured it out...

    a) the information in Git are allways related to dedicated Versions. We found, that the Version .340 is not able to use this parameters while version .343 is working as expected. So with a new Agent Version it will work... 

    After the new Agents, the Sudoers what was in Place are not working any longer, so we has to investigate this as well and find, the Sudoers described on Git are not Working, but the Sudoers on Kevin Holmans Page does… so we are able to work now...

    Thank you all

    • Marked as answer by Martin FFB Thursday, November 7, 2019 12:49 PM
    Thursday, November 7, 2019 12:49 PM

All replies

  • Hi Martin,

    Did you have a look at the KB article below?

    TLS 1.2 Protocol Support Deployment Guide for System Center 2016
    https://support.microsoft.com/en-us/help/4051111


    Quoting from the above link:

    TLS hardening in Linux

    Follow the instructions on the appropriate website to configure TLS 1.2 on your Red Hat or Apache environment.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Monday, May 13, 2019 9:57 AM
  • Hi Martin,

    Did you have a look at the KB article below?

    TLS 1.2 Protocol Support Deployment Guide for System Center 2016
    https://support.microsoft.com/en-us/help/4051111


    Quoting from the above link:

    TLS hardening in Linux

    Follow the instructions on the appropriate website to configure TLS 1.2 on your Red Hat or Apache environment.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Hello Leon,

    thank you very much for your Reply. Unfortunatly, we are not allowed to modify SSL/TLS Settings in General for Linux machines... Some applications probably still Needs TLS 1.0 and they got risk acceptance but not for SCOM - i wonder if there is not an Setting similar to NoSSL2 in omiserver.conf - that would be the best way

    Martin

    Monday, May 13, 2019 11:05 AM
  • This isn't my area of expertise, but did you look at the GitHub repository below?

    https://github.com/microsoft/omi


    Blog: https://thesystemcenterblog.com LinkedIn:

    Monday, May 13, 2019 11:19 AM
  • Hi,

    As Leon suggested, the right property is NoTLSv1_0, instead of NoTLSv1, and we may try it to see if the service can start.

    Hope the above information helps.

    Regards,

    Alex Zhu
    -----------------------------------------------
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    • Marked as answer by Martin FFB Tuesday, May 14, 2019 7:33 AM
    • Unmarked as answer by Martin FFB Monday, May 20, 2019 11:37 AM
    Tuesday, May 14, 2019 2:28 AM
  • Great! Thank you... maybe I have some issues with my Eyes but i overseen the _0 there... So stupid...

    Thank you

    Tuesday, May 14, 2019 7:34 AM


  • I changed the Settings to:
    NoSSLv2=True
    NoSSLv3=True
    NoTLSv1_0=True
    NoTLSv1_1=True

    Starting Open Group OMI Server: [FAILED]
    /opt/omi/bin/omiserver: /etc/opt/omi/conf/omiserver.conf(57): unknown key: NoTLSv1_0
    RETURN CODE: 1

    seems to be not working with these settings… :(

    Monday, May 20, 2019 11:37 AM
  • Hi Martin,

    did you get this working? Thanks for your feedback!

    Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Saturday, June 15, 2019 8:56 PM
    Moderator
  • Hello Stoyan,

     unfortunatly not :-( We still try to get this solved but there is no helpful Information in the Internet. The recomanded Setting with NoTLSv1_0=True and NoTLSv1_1=True stop the Service running so they dont work...

    thank you

    Martin

    Monday, June 17, 2019 6:10 AM
  • Hi Martin,

    not sure if I get this right, but with thei config you have no TLS capability at all (I Mean all NoTLSvxxx=True) so the agent won't be able to communicate, thus the Stop?

    Am I missing something?

    Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Thursday, November 7, 2019 11:44 AM
    Moderator
  • After many Hours of Investigation and 2 tickets with MS Support we figured it out...

    a) the information in Git are allways related to dedicated Versions. We found, that the Version .340 is not able to use this parameters while version .343 is working as expected. So with a new Agent Version it will work... 

    After the new Agents, the Sudoers what was in Place are not working any longer, so we has to investigate this as well and find, the Sudoers described on Git are not Working, but the Sudoers on Kevin Holmans Page does… so we are able to work now...

    Thank you all

    • Marked as answer by Martin FFB Thursday, November 7, 2019 12:49 PM
    Thursday, November 7, 2019 12:49 PM
  • Hi Martin,

    thank You very much for sharing this here, this can be helpful to many. 

    Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Friday, November 8, 2019 3:50 PM
    Moderator