- Flexera Community
- :
- FlexNet Manager
- :
- FlexNet Manager Knowledge Base
- :
- Transport Layer Security (TLS) 1.1 & 1.2 Configuration
- Mark as New
- Mark as Read
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Transport Layer Security (TLS) 1.1 & 1.2 Configuration
Transport Layer Security (TLS) 1.1 & 1.2 Configuration
Summary
With HTTPS SSL being depreciated, this article describes the configuration changes required if you wish to force TLS minimum versions 1.1 and 1.2.
Synopsis
How do I configure TLS 1.1 or 1.2 on my installation of FlexNet Manager Suite?
Discussion
FlexNet Manager Suite requires the following TLS protocol versions for communication between the FlexNet Inventory Beacons and Application Server:
- On-premises implementations: TLS versions 1.0, 1.1, 1.2
- SaaS (Cloud) implementations: TLS versions 1.1, 1.2.
Because of known vulnerabilities with TLS 1.0, it is not available for use with FlexNet Manager Suite Cloud. Windows Server 2008 SP2 and below cannot use TLS 1.2 or TLS 1.1.
If other parts of your environment still require TLS 1.0, you can design a hierarchy of Inventory Beacons to isolate older protocol communications from the Internet. For example:
- Use an Internal Inventory Beacon to integrate with internal Data sources that require TLS 1.0 (such as SCCM, Oracle VM Manager 3.2).
- Use an External Inventory Beacon to act as a proxy between the Internal Inventory Beacon and the Flexera Cloud Beacons.
The communication path then may look similar to the following:
Data source --- TLS 1.0 ---> Internal Inventory Beacon --- TLS 1.1/1.2 ---> External Inventory Beacon --- TLS 1.1/1.2 ---> Flexera Cloud Beacons
Configuration steps
For details about forcing TLS 1.1 or 1.2 on your Inventory Beacon, see the attached document. Alternatively, run the following PowerShell commands to create or set these:
Creating TLS 1.1
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '1' –PropertyType 'DWORD' New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value '0' –PropertyType 'DWORD' New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '1' –PropertyType 'DWORD' New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value '0' –PropertyType 'DWORD'
Creating TLS 1.2
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' –PropertyType 'DWORD' New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value '0' –PropertyType 'DWORD' New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' –PropertyType 'DWORD' New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value '0' –PropertyType 'DWORD'
Setting TLS 1.1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Type DWord ` -Value "0" -Name "DisabledByDefault" Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Type DWord ` -Value "1" -Name "Enabled" Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Type DWord ` -Value "0" -Name "DisabledByDefault" Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Type DWord ` -Value "1" -Name "Enabled"
Setting TLS 1.2
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Type DWord ` -Value "0" -Name "DisabledByDefault" Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Type DWord ` -Value "1" -Name "Enabled" Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Type DWord ` -Value "0" -Name "DisabledByDefault" Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Type DWord ` -Value "1" -Name "Enabled"
If only .NET version 4.0 and higher is installed:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319" -Type DWord ` -Value "1" -Name "SchUseStrongCrypto" Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319" -Type DWord ` -Value "1" -Name "SchUseStrongCrypto"
If any .NET version lower than 4.0 is also installed, then the following changes also need to be made:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" -Type DWord ` -Value "1" -Name "SystemDefaultTlsVersions" Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" -Type DWord ` -Value "1" -Name "SystemDefaultTlsVersions"
Additional Information
Unable to inventory Oracle VM Manager (OVMM) servers due to TLS incompatibilities
Microsoft Docs:
Related Documents
See the attached guide on how to perform this kb, and a .zip containing a .reg file to automatically insert the required values.