TLS 1.2 Protocol Support Deployment Guide for System Center 2016

This article describes how to enable Transport Layer Security (TLS) protocol version 1.2 in a Microsoft System Center 2016 environment.

To enable TLS protocol version 1.2 in your System Center environment, follow these steps:

1. Install updates from the release.
   
   Notes

   • Service Management Automation (SMA) and Service Provider Foundation (SPF) must be upgraded to their most recent update rollup because UR4 does not have any updates to these components.

   • For Service Management Automation (SMA), upgrade to Update Rollup 1, and also update the SMA management pack (MP) from this Microsoft Download Center webpage.

   • For Service Provider Foundation (SPF), upgrade to Update Rollup 2.

   • System Center Virtual Machine Manager (SCVMM) should be upgraded to at least Update Rollup 3.

2. Make sure that the setup is as functional as it was before you applied the updates. For example, check whether you can start the console.
3. Change the configuration settings to enable TLS 1.2.
4. Make sure that all required SQL Server services are running.

Install updates

¹ System Center Operations Manager (SCOM)
² System Center Virtual Machine Manager (SCVMM)
³ System Center Data Protection Manager (SCDPM)
⁴ System Center Orchestrator (SCO)
⁵ Service Management Automation (SMA)
⁶ Service Provider Foundation (SPF)
⁷ Service Manager (SM)

Change configuration settings

.NET Framework 

Make sure that the .NET Framework 4.6 is installed on all System Center components. To do this, follow these instructions.

TLS 1.2 support

Install the required SQL Server update that supports TLS 1.2. To do this, see the following article in the Microsoft Knowledge Base:

3135244 TLS 1.2 support for Microsoft SQL Server

Required System Center 2016 updates

SQL Server 2012 Native client 11.0 should be installed on all the following System Center components.

To download and install Microsoft SQL Server 2012 Native Client 11.0, see this Microsoft Download Center webpage.

To download and install Microsoft OLE DB Driver 18, see this Microsoft Download Center webpage.

For System Center Operations Manager and Service Manager, you must have ODBC 11.0 or ODBC 13.0 installed on all management servers.

Install the required System Center 2016 updates from the following Knowledge Base article:

4043305 Description of Update Rollup 4 for Microsoft System Center 2016
 

Note Make sure that you expand the file contents and install the MSP file on the corresponding role.

SHA1 and SHA2 certificates

System Center components now generate both SHA1 and SHA2 self-signed certificates. This is required to enable TLS 1.2. If CA-signed certificates are used, make sure that the certificates are either SHA1 or SHA2.

Use one of the following methods to configure Windows to use only the TLS 1.2 protocol.

Method 1: Manually modify the registry

Important
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

Use the following steps to enable/disable all SCHANNEL protocols system-wide. We recommend that you enable the TLS 1.2 protocol for incoming communications; and enable the TLS 1.2, TLS 1.1, and TLS 1.0 protocols for all outgoing communications.

Note Making these registry changes does not affect the use of Kerberos or NTLM protocols.

1. Start Registry Editor. To do this, right-click Start, type regedit in the Run box, and then click OK.
2. Locate the following registry subkey:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
3. Right-click the Protocol key, point to New, and then click Key.
   
   
4. Type SSL 3, and then press Enter.
5. Repeat steps 3 and 4 to create keys for TLS 0, TLS 1.1, and TLS 1.2. These keys resemble directories.
6. Create a Client key and a Server key under each of the SSL 3, TLS 1.0, TLS 1.1, and TLS 1.2 keys.
7. To enable a protocol, create the DWORD value under each Client and Server key as follows:
   DisabledByDefault [Value = 0]
   Enabled [Value = 1]
   
   To disable a protocol, change the DWORD value under each Client and Server key as follows:
   DisabledByDefault [Value = 1]
   Enabled [Value = 0]
8. On the File menu, click Exit.

Method 2: Automatically modify the registry

Run the following Windows PowerShell script in Administrator mode to automatically configure Windows to use only the TLS 1.2 Protocol:

$ProtocolList       = @("SSL 2.0","SSL 3.0","TLS 1.0", "TLS 1.1", "TLS 1.2")
$ProtocolSubKeyList = @("Client", "Server")
$DisabledByDefault = "DisabledByDefault"
$Enabled = "Enabled"
$registryPath = "HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\"

foreach($Protocol in $ProtocolList)
{
    Write-Host " In 1st For loop"
	foreach($key in $ProtocolSubKeyList)
	{		
		$currentRegPath = $registryPath + $Protocol + "\" + $key
		Write-Host " Current Registry Path $currentRegPath"
		
		if(!(Test-Path $currentRegPath))
		{
		    Write-Host "creating the registry"
			New-Item -Path $currentRegPath -Force | out-Null			
		}
		if($Protocol -eq "TLS 1.2")
		{
		    Write-Host "Working for TLS 1.2"
			New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null
			New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null
		
		}
		else
		{
		    Write-Host "Working for other protocol"
			New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "1" -PropertyType DWORD -Force | Out-Null
			New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "0" -PropertyType DWORD -Force | Out-Null
		}	
	}
}

Exit 0

Set System Center to use only the TLS 1.2 protocol. To do this, first make sure that all prerequisites are met. Then, make the following settings on System Center components and all other servers on which agents are installed.

Use one of the following methods.

Method 1: Manually modify the registry

Important
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

To enable the installation to support the TLS 1.2 protocol, follow these steps:

1. Start Registry Editor. To do this, right-click Start, type regedit in the Run box, and then click OK.
2. Locate the following registry subkey:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
3. Create the following DWORD value under this key:
   SchUseStrongCrypto [Value = 1]
4. Locate the following registry subkey:
   HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319
5. Create the following DWORD value under this key:
   SchUseStrongCrypto [Value = 1]
6. Restart the system.

Method 2: Automatically modify the registry

Run the following Windows PowerShell script in Administrator mode to automatically configure System Center to use only the TLS 1.2 Protocol:

# Tighten up the .NET Framework
$NetRegistryPath = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319"
New-ItemProperty -Path $NetRegistryPath -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null

$NetRegistryPath = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319"
New-ItemProperty -Path $NetRegistryPath -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null

Operations Manager

Management Packs

Import the management packs for System Center 2016 Operations Manager. These are located in the following directory after you install the server update:

\Program Files\Microsoft System Center 2016\Operations Manager\Server\Management Packs for Update Rollups

ACS settings

For Audit Collection Services (ACS), you must make additional changes in the registry. ACS uses the DSN to make connections to the database. You must update DSN settings to make them functional for TLS 1.2.

1. Locate the following subkey for ODBC in the registry.
   
   Note The default name of DSN is OpsMgrAC.
   
   
2. In ODBC Data Sources subkey, select the entry for the DSN name, OpsMgrAC. This contains the name of ODBC driver to be used for the database connection. If you have ODBC 11.0 installed, change this name to ODBC Driver 11 for SQL Server. Or, if you have ODBC 13.0 installed, change this name to ODBC Driver 13 for SQL Server.
   
   
3. In the OpsMgrAC subkey, update the Driver entry for the ODBS version that is installed.
   
   
    
   • If ODBC 11.0 is installed, change the Driver entry to %WINDIR%\system32\msodbcsql11.dll.
   • If ODBC 13.0 is installed, change the Driver entry to %WINDIR%\system32\msodbcsql13.dll.
   • Alternatively, create and save the following .reg file in Notepad or another text editor. To run the saved .reg file, double-click the file.
     
     For ODBC 11.0, create the following ODBC 11.0.reg file:
      

     [HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources]
     "OpsMgrAC"="ODBC Driver 11 for SQL Server"
     
     [HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\OpsMgrAC]
     
     [HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\OpsMgrAC]
     "Driver"="%WINDIR%\\system32\\msodbcsql11.dll"

     
     
     For ODBC 13.0, create the following ODBC 13.0.reg file:
      

     [HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources]
     "OpsMgrAC"="ODBC Driver 13 for SQL Server"
     
     [HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\OpsMgrAC]
     
     [HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\OpsMgrAC]
     "Driver"="%WINDIR%\\system32\\msodbcsql13.dll"

TLS hardening in Linux

Follow the instructions on the appropriate website to configure TLS 1.2 on your Red Hat or Apache environment.

Data Protection Manager

To enable Data Protection Manager to work together with TLS 1.2 to back up to the cloud, enable these steps on the Data Protection Manager server.

Orchestrator

After the Orchestrator updates are installed, reconfigure the Orchestrator database by using the existing database according to these guidelines.