Remote Control version 10.1.0
includes support for Transport Layer Security (TLS) version 1.3.
- TLSv1.3 Protocol Support
- By default, Remote Control components at version 10.1.0 operate in backward
compatibility mode. In this mode of operation, components at version 10.1.0
and earlier versions can operate with no disruption. When the connection is
established between 2 components at version 10.1.0, the TLSv1.3 protocol is
used. Otherwise, the TLSv1.2 protocol is used.
- When planning to upgrade to version 10.1, it is recommended to upgrade the
controllers first if the environment is configured in FIPS mode. If the
environment is not configured in FIPS, there are no requirements on the
order of upgrading the components.
- Once all product components are updated to version 10.1.0 or in case you are
deploying a brand new Remote Control environment from scratch, it is
possible to configure the product to operate in TLSv1.3 only mode. In this
mode of operation, the only possible connection protocol between components
is TLSv1.3. Any connection attempts involving a component at an older
version will result in a failure.
- Make sure all components are at the 10.1.0 level before you follow the
activation procedure indicated in the following pages. For Managed targets,
you can use the newly added report available in the Remote Control Server
named "Targets not capable of TLSv1.3" that is available from the Report
Menu -> Standard Reports. Ensure no targets are listed from this report
before activating TLSv1.3 only mode in a Managed environment. It is also
possible to use the Remote Control Analysis from the BigFix Console to
verify the version of the installed components.
- The Remote Control Analysis "#4 - Remote Control Installation and Security
Options" includes a new property named "TLSv1.3 Only" that indicates if the
target is currently operating in this mode of operation. The value of this
property depends on the version of the installed target and the target
configuration.
-
Note: If you enable TLSv1.3 only mode and there are
still components at pre-10.1.0 version in the environment, an attempt to
establish a session with those components will result in a failure. The
exact extent and symptom of such failure will vary depending on the
session type, timings, etc.
-
Note: If you enable the TLSv1.3 only mode on a target
at a version earlier than 10.1.0, the target will enter an idle not
working state as it is not able to follow the constraint. To recover the
target, you need to upgrade it to version 10.1 or revert the TLSv1.3
only mode.
-
Note: The IBM Java JCE FIPS 140-2 Cryptographic Module
included in the Remote Control Server does not support the TLSv1.3
protocols. This implies that in a Managed Mode environment configured in
FIPS mode, it is not possible to operate the product in a TLSv1.3 only
mode. In a Remote Control version 10.1.0 environment configured in FIPS,
the connections between Components will always occur using FIPS
certified providers. When the connection occurs between Target,
Controller, and Brokers, the connection uses the TLSv1.3 protocol. When
the connection occurs between the components and the Remote Control
Server, the connection uses the TLSv1.2 protocol.
- Enable TLSv1.3 Only Mode in Managed Mode
- In managed mode, the Controller receives the indication to operate in
TLSv1.3 only mode from the Remote Control server with an argument in the
.trcjws file at session start time.
- The target receives the information to operate in TLSv1.3 only mode from the
Remote Control server at call home time. It is also possible to configure
this mode of operation from the BigFix Console generating a target
configuration wizard.
- The Remote Control server and Brokers are configured manually.
- The Gateways do not require any configuration.
- There is no specific order on what component to configure first.
- Configure the Broker to operate in TLSv1.3 Only Mode
- In version 10.1.0, provides those new properties that are used to control
the allowed protocol. Those properties are located in the
trc_broker.properties file.
- For the connection between the Broker and the Server
- ServerTLS12 = yes
- ServerTLS13 = yes
- For all the other connections, both incoming and outgoing
- DefaultUseTLS12 = yes
- DefaultUseTLS13 = yes
- Optional for specification at the connection prefix level
- prefix.UseTLS12 = yes
- prefix.UseTLS13 = yes
- By default, at version 10.1.0, the broker will allow both protocols. To use
TLSv1.3 only mode, specify "ServerTLS12 = no" and "DefaultUseTLS12 = no" in
the trc_broker.properties.
-
Note: A Broker upgrade may overwrite the existing
trc_broker.properties file. Make a backup copy of the
trc_broker.properties file before proceeding with the upgrade. After the
upgrade, review and update your broker configuration. Remove any
existing DefaultTLSCipherList, DefaultHTTPSCipherList,
ServerTLS*, and *UseTLS* properties. This will ensure
that the Broker operates with version 10.1.0 configuration. To enable
TLSv1.3 mode only, add "ServerTLS12 = no" and "DefaultUseTLS12 = no" in
the trc_broker.properties file.
- Configure the Server to operate in TLSv1.3 Only Mode
-
- Edit the ssl.xml and copy the sslProtocol and
enabledCiphers from the commented section to the ssl
section and restart the Remote Control server
service.
<ssl id="defaultSSLConfig"
sslProtocol="TLSv1.3,TLSv1.2"
enabledCiphers="TLS_AES_256_GCM_SHA384.... "
/>
<!-- To run the server in TLS 1.3 Only mode use the following settings in the ssl section above
sslProtocol="TLSv1.3"
enabledCiphers="TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256"
-->
The ssl.xml file is in the following folder:
- Linux®
- <Installation_directory>/wlp/usr/servers/trcserver/ssl.xml
- Windows®
- <Installation_directory>\wlp\usr\servers\trcserver\ssl.xml
- Set the enforce.TLSv13.only property to "true" in the
common.properties file.
From the Admin menu of the
Remote Control server web interface, select Edit Properties
Files and select the common.properies from the
drop-down menu. Then click Submit and From the Admin menu,
select Reset Application.
-
Note: Changes performed to the product xml
files are not persisted during the Server upgrade. Before
a Server upgrade, copy those files in a folder outside of the wlp tree
and restore such copy after the upgrade.
-
Note: It is not required to activate the TLSv1.3
protocol on the connection between the Remote Control Server and the
Database Server when the server is configured to operate in TLSv1.3 only
mode. If you desire to enable the TLSv1.3 protocol also for this
connection, please refer to your Database vendor documentation on how to
configure the Database Server and the corresponding JDBC driver. The
JDBC driver configuration is stored in the file named
database.xml in the same folder where
ssl.xml is.
- Enable TLSv1.3 Only Mode in Peer to Peer Mode
- In Peer to Peer mode, the TLSv1.3 only mode is enforced by configuring the
target.
- Once the targets are updated to version 10.1.0, you use the BigFix Console
Remote Control Target Configuration Wizard to create a configuration task
that will set the property TLSV13Only to "true".
- The Configuration dialog of the Controller contains an indication of the
protocol configuration of the Controller. When the Controller operates in
Peer to Peer mode, it is possible to change this setting and set the
protocol as TLSv1.3.