Summary

With HTTPS SSL being depreciated, this article describes the configuration changes required if you wish to force TLS minimum versions 1.1 and 1.2.

Synopsis

How do I configure TLS 1.1 or 1.2 on my installation of FlexNet Manager Suite?

Discussion

FlexNet Manager Suite requires the following TLS protocol versions for communication between the FlexNet Inventory Beacons and Application Server:

• On-premises implementations: TLS versions 1.0, 1.1, 1.2
• SaaS (Cloud) implementations: TLS versions 1.1, 1.2.

Because of known vulnerabilities with TLS 1.0, it is not available for use with FlexNet Manager Suite Cloud. Windows Server 2008 SP2 and below cannot use TLS 1.2 or TLS 1.1.

If other parts of your environment still require TLS 1.0, you can design a hierarchy of Inventory Beacons to isolate older protocol communications from the Internet. For example:

• Use an Internal Inventory Beacon to integrate with internal Data sources that require TLS 1.0 (such as SCCM, Oracle VM Manager 3.2).
• Use an External Inventory Beacon to act as a proxy between the Internal Inventory Beacon and the Flexera Cloud Beacons.

The communication path then may look similar to the following:

Data source --- TLS 1.0 ---> Internal Inventory Beacon --- TLS 1.1/1.2 ---> External Inventory Beacon --- TLS 1.1/1.2 ---> Flexera Cloud Beacons

Configuration steps

For details about forcing TLS 1.1 or 1.2 on your Inventory Beacon, see the attached document. Alternatively, run the following PowerShell commands to create or set these:

Creating TLS 1.1

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '1' –PropertyType 'DWORD'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value '0' –PropertyType 'DWORD'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '1' –PropertyType 'DWORD'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value '0' –PropertyType 'DWORD'

Creating TLS 1.2

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' –PropertyType 'DWORD'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value '0' –PropertyType 'DWORD'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' –PropertyType 'DWORD'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value '0' –PropertyType 'DWORD'

Setting TLS 1.1

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Type DWord `
	-Value "0" -Name "DisabledByDefault"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Type DWord `
	-Value "1" -Name "Enabled"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Type DWord `
	-Value "0" -Name "DisabledByDefault"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Type DWord `
	-Value "1" -Name "Enabled"

Setting TLS 1.2

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Type DWord `
	-Value "0" -Name "DisabledByDefault"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Type DWord `
	-Value "1" -Name "Enabled"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Type DWord `
	-Value "0" -Name "DisabledByDefault"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Type DWord `
	-Value "1" -Name "Enabled"

If only .NET version 4.0 and higher is installed:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319" -Type DWord `
	-Value "1" -Name "SchUseStrongCrypto"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319" -Type DWord `
	-Value "1" -Name "SchUseStrongCrypto"

If any .NET version lower than 4.0 is also installed, then the following changes also need to be made:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" -Type DWord `
	-Value "1" -Name "SystemDefaultTlsVersions"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" -Type DWord `
	-Value "1" -Name "SystemDefaultTlsVersions"

Additional Information

Unable to inventory Oracle VM Manager (OVMM) servers due to TLS incompatibilities

Microsoft Docs:

• TLS/SSL Settings
• Transport Layer Security (TLS) registry settings

Related Documents

See the attached guide on how to perform this kb, and a .zip containing a .reg file to automatically insert the required values.