none
How to configure SCOM to use TLS 1.2 for Unix/Linux Client RRS feed

  • Question

  • Hello,

    we already changed our SCOM Environment and all Windows Clients to TLS 1.2 but Keep the Unix/Linux Resource Pool on TLS 1.0 (TLS 1.2 is already activated on the Management Servers of this Resource Pool)

     

    We now changed the OMIServer.conf file and add These lines:

    #NoSSLv2=true

    #NoSSLv3=true

    #sslciphersuite=HIGH:!DSS:!aNULL@STRENGTH

     

    But how can we disable TLSv1? we already try to just use NoTLSv1 but then the Omiserver wont restart... Unfortunately, I can’t find more then how to disable SSL2/3 but no Information about how to disable TLS

    Any Help would be appreciated... thank you

    Monday, May 13, 2019 9:46 AM

All replies

  • Hi Martin,

    Did you have a look at the KB article below?

    TLS 1.2 Protocol Support Deployment Guide for System Center 2016
    https://support.microsoft.com/en-us/help/4051111


    Quoting from the above link:

    TLS hardening in Linux

    Follow the instructions on the appropriate website to configure TLS 1.2 on your Red Hat or Apache environment.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Monday, May 13, 2019 9:57 AM
  • Hi Martin,

    Did you have a look at the KB article below?

    TLS 1.2 Protocol Support Deployment Guide for System Center 2016
    https://support.microsoft.com/en-us/help/4051111


    Quoting from the above link:

    TLS hardening in Linux

    Follow the instructions on the appropriate website to configure TLS 1.2 on your Red Hat or Apache environment.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Hello Leon,

    thank you very much for your Reply. Unfortunatly, we are not allowed to modify SSL/TLS Settings in General for Linux machines... Some applications probably still Needs TLS 1.0 and they got risk acceptance but not for SCOM - i wonder if there is not an Setting similar to NoSSL2 in omiserver.conf - that would be the best way

    Martin

    Monday, May 13, 2019 11:05 AM
  • This isn't my area of expertise, but did you look at the GitHub repository below?

    https://github.com/microsoft/omi


    Blog: https://thesystemcenterblog.com LinkedIn:

    Monday, May 13, 2019 11:19 AM
  • Hi,

    As Leon suggested, the right property is NoTLSv1_0, instead of NoTLSv1, and we may try it to see if the service can start.

    Hope the above information helps.

    Regards,

    Alex Zhu
    -----------------------------------------------
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    • Marked as answer by Martin FFB Tuesday, May 14, 2019 7:33 AM
    • Unmarked as answer by Martin FFB Monday, May 20, 2019 11:37 AM
    Tuesday, May 14, 2019 2:28 AM
  • Great! Thank you... maybe I have some issues with my Eyes but i overseen the _0 there... So stupid...

    Thank you

    Tuesday, May 14, 2019 7:34 AM


  • I changed the Settings to:
    NoSSLv2=True
    NoSSLv3=True
    NoTLSv1_0=True
    NoTLSv1_1=True

    Starting Open Group OMI Server: [FAILED]
    /opt/omi/bin/omiserver: /etc/opt/omi/conf/omiserver.conf(57): unknown key: NoTLSv1_0
    RETURN CODE: 1

    seems to be not working with these settings… :(

    Monday, May 20, 2019 11:37 AM
  • Hi Martin,

    did you get this working? Thanks for your feedback!

    Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Saturday, June 15, 2019 8:56 PM
    Moderator
  • Hello Stoyan,

     unfortunatly not :-( We still try to get this solved but there is no helpful Information in the Internet. The recomanded Setting with NoTLSv1_0=True and NoTLSv1_1=True stop the Service running so they dont work...

    thank you

    Martin

    Monday, June 17, 2019 6:10 AM