Original Message:
Sent: Tue October 03, 2023 08:27 AM
From: Igor P. Merkù
Subject: How to disable TSL 1.0/1.1 - or force TLS 1.2 use - implications?
After clicking on "Add Custom Settings" a Dialog comes up. There is a drop down list ... but can't find the items
_BESRelay_HTTPServer_SSLPrivateKeyFilePath
_BESRelay_HTTPServer_SSLCertificateFilePath
Do you mean I can write those parameter names into the dialog myself? Is that what doc means with "do not create a second one" and "if it does not exist, add it"? So, can I add a parameter that is not listed in the drop down?
4. Look for _BESRelay_HTTPServer_SSLPrivateKeyFilePath setting. If it exists, do not create a second one, but edit its value to the full path name of the private key (.pvk file which contains the private key for the server. The private key must not have a password. If it does not exist, add it.
I am afraid to touch anything to break the system (although I could put the VM into snapshot...)
Thanks, Igor
------------------------------
Igor P. Merkù
Original Message:
Sent: Tue October 03, 2023 07:58 AM
From: Oktawian Powązka
Subject: How to disable TSL 1.0/1.1 - or force TLS 1.2 use - implications?
Hi Igor,
To be honest not sure which drop down list do you have on mind...
After you click 'Add' you have to add a new Custom Setting (name/value).
------------------------------
Thank you,
Oktawian
Oktawian Powązka, L3 Support
IBM License Metric Tool
Original Message:
Sent: Tue October 03, 2023 05:57 AM
From: Igor P. Merkù
Subject: How to disable TSL 1.0/1.1 - or force TLS 1.2 use - implications?
Hello Oktawian,
I have to come back to this question now that I have gathered more insight.
Browsing through the HCL/BigFix documentation I came onto this page
https://help.hcltechsw.com/bigfix/9.2/platform/Platform/Config/c_restapi_https_registry_set.html
In my BigFix environment, when opening "Edit Settings for Computer" ILMTSRV2, which is in my case server for both ILMT and BigFix, I cannot find any setup for
_BESRelay_HTTPServer_SSLPrivateKeyFilePath
_BESRelay_HTTPServer_SSLCertificateFilePath
When I go into Add, there is no such option in the drop down list.
What is my installation missing?
Thanks, Igor
------------------------------
Igor P. Merkù
Original Message:
Sent: Thu September 28, 2023 05:12 AM
From: Oktawian Powązka
Subject: How to disable TSL 1.0/1.1 - or force TLS 1.2 use - implications?
Indeed...
I think that BigFix team has changed this default '_WebReports_HTTPServer_PortNumber' somewhere during the process...
So, depending on WebReports version you will encounter one of those two.
------------------------------
Thank you,
Oktawian
Oktawian Powązka, L3 Support
IBM License Metric Tool
Original Message:
Sent: Thu September 28, 2023 03:24 AM
From: Igor P. Merkù
Subject: How to disable TSL 1.0/1.1 - or force TLS 1.2 use - implications?
Oh, I see, thanks a lot Oktawian.
As for the document mentioned by Michael, the only thing that differs between doc and what you, Oktawian, wrote previously is the port used by
_WebReports_HTTPServer_PortNumber
where doc says 443 and you wrote 8083. Do I leave it with 8083?
In my configuration I have 8083. All other mentioned parameters are set as doc.
Thanks, Igor
------------------------------
Igor P. Merkù
Original Message:
Sent: Wed September 27, 2023 02:21 PM
From: Oktawian Powązka
Subject: How to disable TSL 1.0/1.1 - or force TLS 1.2 use - implications?
'Endpoint Manager console' is 'BigFix Console'...
basically 'Endpoint Manager' means BigFix
------------------------------
Thank you,
Oktawian
Oktawian Powązka, L3 Support
IBM License Metric Tool
Original Message:
Sent: Wed September 27, 2023 09:06 AM
From: Igor P. Merkù
Subject: How to disable TSL 1.0/1.1 - or force TLS 1.2 use - implications?
Hallo Michael,
"Endpoint Manager Console" - not familiar with, don't recall using it, ever.
As a recap: we have BigFix for ILMT exclusively, no other BigFix functionality licensed (nor implemented, of course).
So, maybe this configuration step is beyond the scope of my question. I guess, I will leave it with what is now configured.
Besten Dank, thanks a lot, Igor
------------------------------
Igor P. Merkù
Original Message:
Sent: Wed September 27, 2023 02:53 AM
From: Michael Köster
Subject: How to disable TSL 1.0/1.1 - or force TLS 1.2 use - implications?
Hi Igor,
have you8 checked Computer Setting _WebReports_HTTPServer_RequireTLS12.via BigFix Console, s documentation
https://help.hcltechsw.com/bigfix/9.2/platform/Platform/Web_Reports/c_web_reports_https_registry_set.html
regards Michael
------------------------------
Michael Koester
IBM License Management Consultant
ARS Computer und Consulting GmbH
Munich, Germany
+49 89 32468 0
Original Message:
Sent: Tue September 26, 2023 05:43 AM
From: Igor P. Merkù
Subject: How to disable TSL 1.0/1.1 - or force TLS 1.2 use - implications?
Hello Oktawian,
thanks for your help.
I have activated the Enhanced Security and security scan remains with 8083 TLS 1.0 and 1.1 active, others are not detected any more.
So, as you said, as ILMT needs 8083 and that is internal comunication (BigFix and ILMT on same server), that should not be an issue or can I force TSL 1.2 on that port somehow (or shouldn't I)?
Thanks a lot for your help, very much apprechiated.
Kind regards, Igor
------------------------------
Igor P. Merkù
Original Message:
Sent: Tue September 26, 2023 05:00 AM
From: Oktawian Powązka
Subject: How to disable TSL 1.0/1.1 - or force TLS 1.2 use - implications?
Hello Igor,
Following is the document describing BigFix/ILMT services/ports :
https://www.ibm.com/docs/en/license-metric-tool?topic=ir-network-port-requirements
Your assumption is correct, those are BigFix ports.
8080/8083 : WebReports (required by ILMT infrastructure),
52311 : BigFix Server (required by ILMT infrastructure),
52315 : BigFix WebUI (not required by ILMT infrastructure)
If that BigFix environment is only used for ILMT I'd suggest to remove BigFix WebUI component.
That way you will exclude at least one component from equation...
I don't think that port 8080 (Used by WebReports) is an issue here as it's solely used for HTTP communication.
Thus, no TLS handshake can be established on that port...
You could enable Enhanced Security to force TLS 1.2 only (disable TLSv1.0 and TLSv1.1) :
https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Installation/c_security_settings.html
------------------------------
Thank you,
Oktawian
Oktawian Powązka, L3 Support
IBM License Metric Tool
Original Message:
Sent: Tue September 26, 2023 04:12 AM
From: Igor P. Merkù
Subject: How to disable TSL 1.0/1.1 - or force TLS 1.2 use - implications?
Hello Oktawian,
thanks a lot for your reply. I have commented those three lines and restarted, seems to work everything normally.
From the little I understand in Windows server I found this:
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 1636
TCP 0.0.0.0:8083 0.0.0.0:0 LISTENING 1636
TCP 0.0.0.0:52311 0.0.0.0:0 LISTENING 1572
TCP 0.0.0.0:52315 0.0.0.0:0 LISTENING 1572
BESRootServer.exe 1572 Services 0 36.552 K
BESWebReportsServer.exe 1636 Services 0 97.084 K
Looks like it is not ILMT listening to those ports, but BigFix, am I correct? I would assume that the vulnerability scanner just does not know better and associates those ports all to ILMT and not making any distinction between BigFix and ILMT.
My lack of understanding is whether we need BigFix listening to 8083 and 52315 ports ... I guess there is some document describing the overall structure of BigFix/ILMT and services/ports, right? Will search for that to better understand.
After an additional vulnerability scan I still receive the suggestion to disable TLS 1.0 and 1.1.
Where can you direct me to look for this?
Thanks a lot, Igor
------------------------------
Igor P. Merkù
Original Message:
Sent: Mon September 25, 2023 10:04 AM
From: Oktawian Powązka
Subject: How to disable TSL 1.0/1.1 - or force TLS 1.2 use - implications?
Hello Igor,
Actually there is no need to modify anything in ILMT config files at all.
ILMT server from around 9.2.26 always uses TLSv1.2.
By default, TLS 1.0/1.1 connections (inbound & outbound) would be rejected by ILMT server.
From those above TCP ports ILMT is using only one: 52311
and that connection is always done by means of TLSv1.2.
You can remove those three properties from jvm.options file altogether.
Those are obsolete properties not used anymore...
------------------------------
Thank you,
Oktawian
Oktawian Powązka, L3 Support
IBM License Metric Tool
Original Message:
Sent: Mon September 25, 2023 08:37 AM
From: Igor P. Merkù
Subject: How to disable TSL 1.0/1.1 - or force TLS 1.2 use - implications?
Hi there,
I am trying to find documentation relative to TLS configuration in LMT (9.2.33.0 with BigFix) on Windows.
As security scanning listed TLS 1.0/1.1 as deprecated we consider disabling those options.
TLS Version 1.0 and 1.1 Protocol Deprecated
52311 / tcp / www ilmtsrv2
52315 / tcp / www ilmtsrv2
8083 / tcp / www ilmtsrv2
I found this in the jvm.options file:
-Dcom.ibm.jsse2.overrideDefaultTLS=true
-Dcom.unboundid.util.SSLUtil.defaultSSLProtocol=TLSV1.2
-Dcom.unboundid.util.SSLUtil.enabledSSLProtocols=TLSV1.2
So, is this something I have to set/modify in ILMT config files (to exclude TLS 1.0/1.1) or BigFix (or both)?
Thanks for pointing me to the correct official documentation.
Cheers, Igor
------------------------------
Igor P. Merkù
------------------------------