Novell Doc: Novell ZENworks Orchestrator 1.3 Administration Guide

3.4 TLS Encryption

ZENworks Orchestrator 1.3 uses Transport Layer Security (TLS) to provide encryption for both user and agent connections. By default, both the Orchestrator Agent and the Orchestrator Clients use TLS to initiate their connections to the Orchestrator Server, and then the server specifies whether to “fall back” to plain text or continue the session fully encrypted.Although you can manually configure the agent and clients to either always require TLS encryption or to fully disable TLS encryption, we recommended that you leave the agents and clients in their default configuration, and then use the Orchestrator Console on the server to specify the default behavior. This is the purpose of the TLS Options section on the main server tab of the Orchestrator Console.

Figure 3-1 TLS Options in the Orchestrator Console

Here, there are 4 levels that you can set separately for both agent connections and user/client connections:

Forbid TLS for (agents/clients): This option is to fully disable and prohibit TLS encryption altogether. This is the least secure option and is therefore usually not the desirable choice, but it could be required in countries that restrict encryption or in low security environments where performance is more critical than security.
Allow TLS on the (agents/clients); default to falling back to unencrypted: This option (the factory default for both agents and clients) is to allow TLS encryption if the agent or client explicitly requests it, but to default to falling back to plain text after authentication.

NOTE:Authentication always occurs over SSL, regardless of settings.
Allow TLS on the (agents/clients); default to TLS encrypted if not configured encrypted: This option is similar to the second option. Agents/clients may specify whether or not to use TLS, but if they use the default of “server specified,” the server defaults to using TLS.
Make TLS mandatory on the (agents/clients): This option is the most secure, locked down option. It requires TLS at all times, and fails connections if the agent or the client tries to specify plain text.

In addition to these settings for TLS configuration, there are files that need to be protected on both the server and on the client/agent. For more information, search for the TLS Certificate Installation On ZENworks Orchestrator article at the Novell Cool Solutions Community.