enable_latest_tls

Edit online

Enable the most recent version of TLS (TLS 1.3) by disabling TLS 1.2 on either the current system or on all associated managed units.

Transport layer security (TLS) 1.3 provides a faster and more secure encryption protocol. Your Guardium central manager appliance must be at version 12.0 or later. TLS 1.3 is automatically enabled with Guardium 12.0 and later. You can choose to disable TLS 1.2 after your central manager, all associated managed units, Software TAP (S-TAPĀ®) agents, and the GuardiumĀ® Installation Manager (GIM) clients are at version 12.0 or later.

Note: Be very careful about forcing Guardium to disable TLS 1.2 if your configuration includes managed units that are not at Guardium 12.0. In addition, not all add-ons and features support TLS 1.3. For more information, see Managing the TLS version.
Note: In version 12.1 and prior, you can enable FIPS mode after you disable TLS 1.3 by using one of the following two methods. You must reboot your server after you use either method.
  • Run the fipsmode API. Guardium suggests that you set restart = 1 to automatically restart your system.
  • Run the store system fipsmode CLI command and then manually restart your system.
Tip: This API takes a few minutes to run.

This API is available in Guardium v12.0 and later.

GuardAPI syntax

enable_latest_tls parameter=value

Parameters

Parameter Value type Description
all Boolean Required. For a central manager, select whether to disable TLS 1.2 on all associated managed units. Valid values:
  • 0 (false) - Disable TLS 1.2 on this machine only.
  • 1 (true) - Disable TLS1.2 on this machine and associated managed units.

Default = 0 (false)
force Boolean Specify whether to disable TLS 1.2 when appliance, GIM, or S-TAP versions are incompatible between the central manager and any managed units. Valid values:
  • 0 (false) - Do not disable TLS 1.2 if versions are incompatible.
  • 1 (true) - Disable TLS 1.2 even if versions are incompatible.

Default = 0 (false)
api_target_host String

Specifies the target hosts where the API executes. Valid values:
  • all_managed: execute on all managed units but not the central manager
  • all: execute on all managed units and the central manager
  • group:<group name>: execute on all managed units identified by <group name>
  • host name or IP address of a managed unit: specified from the central manager to execute on a managed unit.  For example, api_target_host=10.0.1.123.
  • host name or IP address of the central manager: specified from a managed unit to execute on the central manager. For example, api_target_host=10.0.1.123.

IP addresses must conform to the IP mode of your network. For dual IP mode, use the same IP protocol with which the managed unit is registered with the central manager. For example, if the registration uses IPv6, specify an IPv6 address. The hostname is independent of IP mode and can be used with any mode.