Because of known security vulnerabilities with TLS 1.0 and 1.1, TLS 1.2 is used to
initiate communication between the data collector and your devices. For devices that don't support
TLS 1.2, you can enable the data collector to initiate communication for the collection of metadata
by using TLS 1.0 or 1.1.
About this task
If you disable TLS 1.2 and use TLS 1.0 or 1.1, you might expose your organization to security risks. Instead of enabling TLS 1.0 or 1.1 with devices that don't support TLS 1.2, IBM® strongly recommends that you contact your vendor to upgrade your devices to a version that supports TLS 1.2.
Important: IBM is not responsible or liable for
any security issues that occur when you disable TLS 1.2 and enable TLS 1.0 or 1.1. You do so at your
own risk. Learn about why TLS 1.0 and TLS 1.1 are being deprecated:
Memo from Internet Engineering Task Force.
If you change the version
of TLS to a lower version, the change affects only the internal communication between your devices
that support lower-level protocols and the data collector. The outbound transmission of metadata to
IBM Storage Insights is not affected by this change.
How to confirm whether TLS 1.0 and 1.1 are enabled or disabled: Because of known security vulnerabilities, TLS 1.0 and 1.1 are disabled by default for data
collectors. However, if you're unsure if the default settings were changed, you can confirm whether
they are currently enabled or disabled. For more information, see
https://www.ibm.com/support/pages/node/6579217.
Procedure
-
Log on to the server where the data collector service is installed.
-
Open a command window or shell and go to the directory where you installed the data collector
package.
-
To stop the data collector service, choose one of the following options:
Operating system |
Options |
Windows |
- From the desktop, click the menu, type services.msc, and then press Enter.
- On the Services page, right-click the service name that begins with
IBM Spectrum Control Storage Insights data collector and select
Stop.
Alternatively, from the command prompt, complete these steps:
- Click the menu and type cmd.
- In the data collector directory, type dataCollector.bat
stop, and then press Enter.
|
AIX® or Linux® |
In the data collector directory, type dataCollector.sh stop, and then
press Enter. |
- Complete one of these actions:
- On Windows, go to Data Collector
Installation\jre\lib\security.
- On AIX or Linux, go to Data Collector Installation/jre/lib/security.
- Create a backup copy of the java.security.
Save it
with a different name so it can be more easily identified later, such as
java.securitybackup_tlsdisabled.
- Open the original java.security file in an editor and remove the
text
TLSv1, TLSv1.1
from this line.
jdk.tls.disabledAlgorithms=MD5withRSA, DH keySize < 1024, TLSv1, TLSv1.1, EC keySize < 224, anon, NULL
- Save the file.
-
Choose one of the following options to restart the data collector service:
Operating system |
Options |
Windows |
- From the desktop, click the menu, type services.msc, and then press
Enter.
- On the Services page, right-click the service name that begins with
IBM Spectrum Control Storage Insights data collector and select
Start.
Alternatively, from the command prompt, complete these steps:
- Click the menu and type cmd.
- In the data collector directory, type dataCollector.bat start, and then
press Enter.
|
AIX or Linux |
In the data collector directory, type dataCollector.sh start, and then
press Enter. |
Results
The data collector can initiate communication with and collect metadata from devices that use TLS
1.0 or TLS 1.1.