If the zone contains managed devices running on Windows 7 or Windows Server 2012, then weak and vulnerable ciphers will be enabled on the ZENworks Primary Servers to communicate with such devices. By registering managed devices running on an operating system that requires weak and vulnerable ciphers to communicate with ZENworks Servers, the strong security provided by default is reduced and the system is exposed to increased security risks. In such a case, customers assume all associated security risks and will hold Open Text harmless for the same.
To view the list of devices that require weak and vulnerable ciphers to be enabled on the ZENworks Primary Servers, navigate to ZCC > Devices and search for operating systems using the filters. In the search panel, click the Operating System drop-down list, choose windows7 (all variants, including SP1) and win2012 (all variants, including R2).
You cannot deploy the ZENworks Agent on Windows 7 or Windows Server 2012 devices after updating the zone. To ensure that these devices are supported in the backward compatibility mode, back up the Agent deployment packages. In ZCC, navigate to Home > Download ZENworks Tools > ZENworks Agent > Agent Packages and download the necessary Windows standalone packages. For more information, see Manually Deploying the Agent on Windows.
NOTE:If weak ciphers are enabled in the zone, it does not block the system update. However, it is recommended that you perform the following procedure to disable weak ciphers after updating to ZENworks 23.4
After you have deleted or retired managed devices running on Windows 7 or Windows Server 2012 from the zone, you can disable the weak ciphers and revert to the default security by executing the following steps on all the Primary Servers in the zone:
Run microfocus-zenworks-configure -c SettingsConfigureAction -Dtype=Ciphers -Dadd=auto
Restart the ZENworks Client Management and ZENworks API Gateway services.
NOTE:
If the zone contains managed devices running on Windows 7 or Windows Server 2012 when the above configure action is run, weak ciphers will not be removed.
If the zone contains managed devices running on Windows 7 or Windows Server 2012, the weak ciphers will be automatically re-enabled during subsequent System Updates.
To confirm that the weak ciphers are disabled, run the following steps on a Primary Server:
Run microfocus-zenworks-configure -c SettingsConfigureAction -Dtype=Ciphers -Ddisplay. The enabled ciphers are displayed.
Ensure none of the following weak ciphers are in the list displayed:
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
If the weak ciphers are not disabled after running the configure action, contact Open Text support.