The document you refer to mainly replaces the old HTTPS connector line in server.xml with a new one replacing primarily old cbc ciphers with new ones.
But is this documented anywhere officially ? Somehow I have found nothing on the web.
I suspect there is quite a bunch of (updated!) IMC servers out there which is still accepting TLS1.1/1.0 and may go unnoticed (which is another issue and different story). But to me this replacement should have been item 5) on that list on the release note as shown in the following paragraph, Marina is also quoting from:
Features released in IMC PLAT 7.3 (E0705P02)
Supports disabling TLS 1.0.
Added support of the TLS 1.1 and TLS 1.2 protocol for the MS SQL server database.
In order to configure the IMC environment to use TLS 1.2, perform the following steps after applying patch 7.3E0705P02:
1) Ensure your MS SQL version supports TLS 1.2 and it's patched, following https://support.microsoft.com/en-sg/help/3135244/tls-1-2-support-for-microsoft-sql-server.
2) On all IMC and database servers, install the OLE DB patch available from https://www.microsoft.com/en-us/download/details.aspx?id=56730.
3) Disable both TLS 1.0 and TLS 1.1 in the registry, following https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat.
4) Add usetls=true at the top of server/conf/qvdm.conf file.
May be the change should be placed into an upcoming release note with a warning as this is an important pending change in server.xml files:
The actual change for others to read also:
From
<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" clientAuth="false" compressableMimeType="text/html,text/xml,text/xhtml,text/css,text/javascript,text/plain" compression="on" compressionMinSize="2048" connectionTimeout="60000" disableUploadTimeout="true" enableLookups="false" keystoreFile="security/newks" keystorePass="iMCV500R001" maxHttpHeaderSize="8192" maxPostSize="5242880" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS"/>
TO
<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA" clientAuth="false" compressableMimeType="text/html,text/xml,text/xhtml,text/css,text/javascript,text/plain,application/javascript,application/xml" compression="on" compressionMinSize="2048" connectionTimeout="30000" disableUploadTimeout="true" enableLookups="false" keystoreFile="security/newks" keystorePass="iMCV500R001" maxHttpHeaderSize="8192" maxPostSize="5242880" maxSpareThreads="75" maxThreads="300" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" server="Server" sslProtocol="TLSv1.2"/>
In fact I had TLSv1.2 already set but with the old ciphers. We had 1.2 connections I am pretty sure but the old TLS versions were also offered.
Now it is TLS1.2 only with new algorithms.
Original Message:
Sent: Feb 02, 2024 02:26 AM
From: vasilyotov
Subject: iMC disable TLS 1.0/1.1 not working
Hello Holger,
please find below a document how to reconfigure IMC to use TLS 1.2 for HTTPS:
https://hp.file.force.com/sfc/servlet.shepherd/version/download/068Kh00000NsdtWIAR?asInline=true
Regards,
Vasil
Original Message:
Sent: Jan 31, 2024 09:48 AM
From: HZ55
Subject: iMC disable TLS 1.0/1.1 not working
Hi Marina,
this thread seems yet unanswered to me.
In fact I was just discovering that our IMC server also shows this symptom.
I am referring in particular to the WebGUI port 8443.
The release note paragraph seems to be addressing the DB server side of things primarily. I did check we are also good on that side. And the registry entries disable the service providers for TLS1.1 and older. Our servers port 445 reacts correctly though.
I did make the check using
/usr/bin/openssl s_client -connect 10.1.2.3:8443 -servername 10.1.2.3 -tls1
and was not denied.
In fact we have another server in the office which is on the same level re windows and the IMC settings I am aware of which does not show
the symptom. It is not on 7.03 E0710H02 like ours but on 7.03 E0708P03 so may be that something happened since then.
Of course there can be something completely independent.
Any known open cases ?
regards,
Holger
Original Message:
Sent: Aug 08, 2022 09:03 AM
From: Milenkova
Subject: iMC disable TLS 1.0/1.1 not working
Hello Stuart,
iMC added support for desabling TLS 1.0 and 1.1 since iMC version E0705P02.
I see the following instructions in release notes:
Added support of the TLS 1.1 and TLS 1.2 protocol for the MS SQL server database. In order to configure the IMC environment to use TLS 1.2, perform the following steps after applying patch 7.3E0705P02:
1) Ensure your MS SQL version supports TLS 1.2 and it's patched, following https://support.microsoft.com/en-sg/help/3135244/tls-1-2-support-for-microsoft-sql-server.
2) On all IMC and database servers, install the OLE DB patch available from https://www.microsoft.com/en-us/download/details.aspx?id=56730.
3) Disable both TLS 1.0 and TLS 1.1 in the registry, following https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat.
4) Add usetls=true at the top of server/conf/qvdm.conf file.
Have you done point 2 as well - installing the OLE DB patch?
Since you are using local db there is no need to configure DB server .
Kind regards,
------------------------------
Marina
HPE
Sofia
Original Message:
Sent: Aug 03, 2022 11:04 AM
From: Stuart Rowe
Subject: iMC disable TLS 1.0/1.1 not working
Hello,
We are tng to secure our installation of iMC 706. Nessus is flagging our install as still having TLS 1.0 and 1.1 enabled. We have followed the information here (Support Center) yet it doesn't seem to have affected the Nessus results.
1) Server 2019 and SQL express, both fully updated
2) iMC Plat 7.3 version E0706
3) TLS 1.0 and 1.1 disabled in registry
4) qvdm.conf has the "usetls = true" added
5) HTTPS access only, no HTTP
Is there something I'm missing regarding disabling TLS 1.0/1.1 for IMC?