14.4 Securing ZENworks 2020 Update 2 by Disabling Older Security Protocols

To ensure the secure use of ZENworks, from the ZENworks 2020 Update 2 release onwards, ZENworks will only support the latest version of TLS (TLSv1.2).

  • For a new installation: Only TLSv1.2 is supported, by default. Hence, users need to ensure that the devices in the zone support TLSv1.2. To enable support for the devices, see Securing Managed Devices.

  • For an upgraded zone: As there might be older devices in the zone, which do not support TLSv1.2, the previously supported protocols are retained. After upgrading the devices to the latest version of Windows, the previously supported protocols can be disabled by the administrator, by using the relevant configure actions. As a best practice it is recommended to first disable the older ports on the devices, then the Satellite Servers and finally the Primary Servers. This will ensure that the communication between the devices and the servers is not broken. To enable TLSv1.2 support for older devices, you need to either upgrade the device to the latest OS version or you need to apply the required hot fixes, and configure the required registry keys.

14.4.1 Identifying the Supported Protocols

To identify the supported protocols in the zone, perform the following steps:

  1. Run the following query in the database.: select * from zopaquedata where name='zenps.allowed.tlsversions';

  2. (Conditional) If the TLSv1.2 entry is present in the database, locate the server.xmlfile on the Primary Servers and confirm if the file includes the following value: sslEnabledProtocols="TLSv1.2":

    • On Windows Primary Servers: %ZENSERVER_HOME%\services\zenserver\conf

    • On Linux Primary Servers: /opt/microfocus/zenworks/share/tomcat/conf

    If the query does not return any value, it indicates that the zone supports the traditional set of protocols (TLSv1, TLSv1.1, TLSv1.2, SSLv2Hello) and any new Primary Server installed in the zone will support the same protocols.

14.4.2 Securing Managed Devices

To secure the communication between Windows devices and the ZENworks Primary Servers, you need to enable support for TLSv1.2 on the Windows devices:

Enabling TLSv1.2 on Windows 7 SP1 Devices

To enable support for the TLSv1.2 protocol on Windows 7 SP1 devices.

  1. Apply the Microsoft Hotfix based on the system architecture.

  2. Install the Microsoft Dot Net version 4.7+.

  3. Add the following registry keys to force the agent to communicate over ‘TLSv1.2’.

    For 32-bit devices:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:00000001

    For 64-bit devices:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001

    NOTE:With these Registry Key changes, the operating system will communicate only over TLSv1.2, and it will restrict communication through the older protocols. This might cause some applications, which do not use TLS v1.2 for communication, to not work properly.

Enabling TLSv1.2 on Windows 8 or higher devices

To enable TLSv1.2 on Windows 8 or higher devices, you need to install the Microsoft Dot Net version 4.7+

14.4.3 Securing Satellite Servers

To ensure that only TLSv1.2 is supported on Satellite Servers, perform the following steps:

  • On Windows: In the registry under HKLM\Software\Novell\ZCM, create a key named ZenJettyServer.ExcludedProtocolsand specify the values as TLSv1, TLSv1.1. After creating the registry key, stop the Novell ZENworks Jetty Server service, run the zac ref command, and then restart the service.

  • On Linux: In the xplatzmd.properties file, add ExcludedProtocols=TLSv1,TLSv1.1 and restart the agent service.

    NOTE:Specify the value as TLSv1, instead of TLSv1.0. Else it might not work on Linux or Java-based programs.

14.4.4 Securing Primary Servers

To drop support for older SSL/TLS protocols, you need to run two configure actions that will persist the information in the database and any new Primary Server additions to the zone will inherit these settings. To enable TLSv1.2 as the default protocol for upgraded ZENworks 2020 Update 2 Primary Servers, you need to perform the following steps:

  1. Run the SetTLSVersionConfigureAction configure action on any one Primary Server in the zone. For example, microfocus-zenworks-configure -c SetTLSVersionConfigureAction.

  2. Run the UpdateTLSVersionConfigureAction configure action on all the Primary Servers in the zone. After running the configure action, restart the ZENworks server services. For example, microfocus-zenworks-configure -c UpdateTLSVersionConfigureAction.

    This configure action will modify the attribute sslEnabledProtocols in the server.xml with the value ‘TLSv1.2’.

  3. Restart the Microfocus ZENworks Server service:

    • On Linux: systemctl restart microfocus-zenserver.service

    • On Windows: 'Micro Focus ZENworks Server' service from the service manager

The SetTLSVersionConfigureAction updates the database with the TLSv1.2 version and the UpdateTLSVersionConfigureAction updates the file system. Restart ZENworks server services after running the configure action. After running the SetTLSVersionConfigureAction action on the first Primary Server, when a new Primary Server is added, by default, it will support the protocols that are supported by the first Primary Server, which in this case will be TLSv1.2.

Enabling the Older Security Protocol on Primary Servers

To enable the older security protocol on Primary Servers, perform the following steps:

  1. On Primary Servers, run microfocus-zenworks-configure -c SetTLSVersionConfigureAction -Dallowed.tls.versions="<tls_versions>"

    Example: microfocus-zenworks-configure -c SetTLSVersionConfigureAction -Dallowed.tls.versions="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello”

    In the above example, TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello protocols are enabled.

  2. Run UpdateTLSVersionConfigureAction on all the Primary Servers.

    This updates sslEnabledProtocols attribute in the server.xml file on Primary Servers with 'TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello' value.

  3. Restart server and loader services on all the Primary Servers.