Managing the TLS version

You can disable TLS 1.0/1.1, and enable TLS 1.2 on all appliances, S-TAP agents, CAS and GIM clients.

About this task

To increase the security of the Guardium system, from Guardium release v10.1.4, communications protocols TLS 1.0/1.1 can be optionally disabled. Disabling TLS 1.0/1.1 results in only the TLS 1.2 protocol being enabled. Communications may be less secure when using TLS 1.0/1.1.

You must disable TLS 1.0/1.1 from the central manager and/or standalone unit using the CLI. Your Guardium appliances, S-TAP agents, CAS and GIM clients must be at specific versions to enable this feature.

Disabling TLS 1.1 automatically checks to make sure managed units and S-TAPs are at specific versions, but cannot check CAS client versions. Customers using CAS need to make sure their CAS clients are at version 10.1.4 and their database servers have Java 7 enabled. Lack of doing this will result in the inability to see CAS connections to database servers.

Make sure all managed units have version 10.1.4 installed, and GIM clients and S-TAPs are at a minimum version of 10.1.2. Failure to meet all requirements will mean that TLS 1.0/1.1 will not be disabled.

To get information about, and to disable TLS1.0/1.1 on all units in a managed environment, (central manager, aggregator, managed units), run the following commands on the central manager.

Procedure

  1. Access the CLI as admin.
  2. Enter the following command.
    grdapi get_secured_protocols_info
    Run this command from a central manager to propagate down to all managed units. The system outputs the enabled protocols (TLS 1.0/1.1 and TLS 1.2) and indicates if the TLS 1.0/1.1 protocols can be disabled. Error codes 1000+ indicate an issue with a component that needs to be addressed by the admin before TLS 1.0/1.1 can be disabled. Messages are displayed indicating which component(s) do not meet the requirements for disabling TLS 1.0/1.1. Warning messages are generated for managed units that are offline or unreachable. Offline units must be managed individually when they come back online.

    For more information, see get_secured_protocols_info.

  3. To disable TLS 1.0/1.1, enter:
    grdapi disable_deprecated_protocols
    Run this command from a central manager to propagate down to all managed units. This command firsts run the version checks described above. If the requirements for disablement are met, then this command changes the configuration settings for each service on the central manager as well as all managed units. If the requirements for disablement are not met, then the system indicates that the deprecated protocols are enabled and must be kept enabled until all managed units and/or components are upgraded.

    For more information, see disable_deprecated_protocols.

  4. For any managed unit that was offline during the disablement of depreciated protocols, Guardium users with admin role must manually start a CLI session on the managed unit and run local_disable_deprecated_protocols to make the configuration changes.
    grdapi local_disable_deprecated_protocols
  5. To revert to TLS 1.0/1.1, run the following command,
    grdapi enable_deprecated_protocols all=true
    This GuardAPI command is a fallback that changes back the configuration settings and restart services on the central manager and all managed units to enable the deprecated protocols. This GuardAPI command can be run with the all=true argument from a central manager to enable deprecated protocols on the central manager and all managed units. Absence of the parameter all=true enable deprecated protocols on the appliance running the GuardAPI only.

    For more information, see enable_deprecated_protocols.

  6. Guardium users with admin role should check that communications between central managers and managed units are stable and working properly.