TLS 1.2 Update

Owned by Enterprise IT
Last updated: Apr 23, 2024 by Shilpa K (Deactivated)Version comment
12 min read

Definitions

Following are list of few terms with their definitions used in the document:

TermDefinitions
TLS

The Transport Layer Security (TLS) protocol is an industry standard designed to help protect the privacy of information communicated over the Internet. TLS 1.2 is a standard that provides security improvements over previous versions. TLS provides enhanced security by encrypting data sent over the internet.

SummitAI Proxy ServerFor more details about SummitAI Proxy Server, refer the page Viewing Proxy Server Details.
SummitAI Asset AgentFor more details about SummitAI Asset Agent, refer the page SAM Agent (Asset Management) Version History 1.
How to check if Summit Asset Agent is running or notFor more details on how to verify if Summit Asset Agent is running or not, refer the page Agent Online Status Report.

Preface and Audience

Overview

From Denali SP3 (Tentative Release Schedule: December 2020) onwards SummitAI Asset Agents will be released with the default binding to TLS version 1.2 or higher. This feature will be made available to recent Major predecessor versions to accommodate larger user communities and with less transition effort. 

Why are we making this change?

This change is in recognition of security best practices. It has also been mandated by the PCI Security Council and Product Manufacturers like Microsoft has stopped supporting older version of TLS from June 2020.

You may have heard of these vulnerabilities by some of their better-known names such as Heartbleed, Poodle, Freak and Beast. These vulnerabilities concern the weak encryption of sensitive data transmission over the internet, which may allow unauthorized parties to view the data. All versions of SSL, and versions of TLS before TLS 1.2 have been explicitly identified as no longer being a strong form of encryption because they are vulnerable to many known attacks.

This is not a change being taken up at SummitAI product suites alone, rather it is a mandatory technology transition for every Software vendor to protect against security vulnerabilities. If you or your customers are using an insecure or unsupported browser or API client, you will find that all secure websites will stop working very soon. Summit would be happy to answer any queries you may have related to this change.

Please reach out to your SummitAI account managers if you have any concerns.

Further Reading & Resources
https://www.ssllabs.com/ssltest/clients.html
https://www.howsmyssl.com/

Target Audience

This document can be used by engineers and IT System administrator professionals having knowledge on SummitAI ITAM product suites along with the Infrastructure knowledge.

Getting Started


SUMMIT recommends to start the TLS 1.2 upgrade activity with least impacted Proxy server/ or least number of end points prior to rolling out to a larger environment.

TLS 1.2 Agent Upgrade Prerequisites

Ensure that the following pre-requisites are met before upgrading SummitAI Asset Agents to the latest TLS version 1.2:

For SummitAI Application Versions 5.6 till Denali SP3:

Platform

Supported Versions

End-Point Operating System and .Net Framework Version

Windows 7 SP1 and above with Microsoft .NET framework > 4.0

Server Operating System

Windows 2008 R2 and above with Microsoft .NET framework > 4.0 version

Agent Version for Auto Upgrade

2.0.1.X and above

Agent Versions requiring manual upgrade

Older than 2.0.1.x

Agent Version to be deployed

2.3.5.15 


For SummitAI Application Versions Denali SP3 HF01 and Later:

Platform

Supported Versions

End-Point Operating System and .Net Framework Version

Windows 7 SP1 and above with Microsoft .NET framework > 2.0

Server Operating System

Windows 2008 R2 and above with Microsoft .NET framework > 2.0 version

Agent Version for Auto Upgrade

2.0.1.X and above

Agent Versions requiring manual upgrade

Older than 2.0.1.x

Agent Version to be deployed

2.5.5.19

Microsoft Patches to be deployed on end points

KB3154520 for Windows Server 2012 R2,

KB3154519 for Windows Server 2012

KB3154518 for Windows Server 2008 R2

KB3154517 for Windows Server 2008 SP2

KB3154518 for Windows 7 Service Pack 1

Upgrade Process

The following flowchart depicts how to perform TLS 1.2 upgrade:

Figure: Flowchart of Upgrade Process

Prerequisites 

Ensure that the following pre-requisites are met, before proceeding:

  • Check the Product Definitions & standard functionality assumptions
  • Compatibility Matrix
  • Capture the current “contacted” & “Non-Contacted” agent counts from the Report on the agent version upgrade information (Admin->Reports->Asset Management->Agent Online Status Report). This is to know how many agents expected gets upgraded to newer version.
  • Download the explicit TLS 1.2 agent kit compatible to Main SummitAI Release. 
  • Download the IISCrypto (https://www.nartac.com/Downloads/IISCrypto/IISCrypto.exe) or any equivalent tool for enforcing TLS 1.2 Protocol suites at OS Level.

Steps in Detail

To upgrade TLS 1.2 perform the following steps (applicable if you are using SUMMIT Release v5.6 to DENALI SP3):

  1. Perform the Proxy configurations for Agent Upgrade and activate the auto update feature.

    Figure: Enabling SAM Agent Auto Update

  2. Check the agent version upgrade information (Admin->Reports->Asset Management->Agent Online Status Report)

    Figure: Checking Agent Versions

  3. Apply the version filters in the above report and capture the appropriate status of the upgrade activity.

    Figure: Applying Version Filter

  4. Once all the agents are shown with the latest version, on the proxy server use the IISCrypto tool (Refer to Pre-requisite for download Link) to disable the TLS 1.0/1.1 Protocol Suites and enforce TLS 1.2.

    Important Note

    To disable TLS 1.0/1.1 and enable TLS 1.2 using the TLS registry settings, refer this link.

    1. Disable TLS 1.0/1.1 from Server Protocols and Client Protocols as shown in the following figure.

      Figure: Disabling TLS1.0/1.1

    2. Enable TLS 1.2 protocol and select Reboot. Click Apply to enforce the usage of TLS 1.2 protocol.

      Figure: Enabling TLS1.2 and Rebooting Application

After DENALI SP3 HF01 Upgrade

The agents released with this version are default complaint to TLS 1.2 or higher. The underlying technology framework of agents are provisioned to work independent of .NET Framework/Operating system libraries and designed to leverage REST API Libraries for overall functionality. This enables our agent to work on any of the current TLS 1.0/1.1/1.2 or future versions.

When you must take this route ?

  1. Already have a plan to upgrade SummitAI Product to Latest release
  2. Organizational or Infrastructure challenge in rolling out TLS 1.2 supported Microsoft .NET libraries to all the reporting agents.
  3. Infrastructure contains both legacy and Latest Desktop/Server Operating systems. (Refer to Supported Desktop Operating SystemSupported Server Operating System sections)

Key Notes or Impacts

  • Latest Agents carries with the Hotfixes + TLS 1.2 or higher complaint features.
  • If you are running multi-Proxy Environment, strongly recommend starting this activity Post successful migration on the first proxy server
  • No Major impacts in the Agent functionality.
  • Underlying agent stack is unchanged except activated with the TLS 1.2 support.
  • DO NOT Recommend if you are not sure of .NET Framework 4.0.x or higher availability on all the reporting agents.
  • If you are running multi-Proxy Environment, strongly recommend starting this activity Post successful migration on the first proxy server.

Prerequisites

Ensure that the following pre-requisites are met, before proceeding:

  • Check the Product Definitions & standard Functionality assumptions
  • Compatibility Matrix
  • Capture the current “contacted” & “Non-Contacted” agent counts from the Report on the agent version upgrade information (Admin->Reports->Asset Management->Agent Online Status Report). This is to know how many agents expected gets upgraded to newer version.
  • Download the explicit TLS 1.2 agent kit compatible to Main SummitAI Release.
  • Download the IISCrypto (https://www.nartac.com/Downloads/IISCrypto/IISCrypto.exe) or any equivalent tool for enforcing TLS 1.2 Protocol suites at OS Level

Steps in Detail

To upgrade TLS 1.2 perform the following steps (applicable if you are using DENALI SP3 HF01 or later):

  1. Download the latest agent Kit (HF Release) in the respective compatible version to Main SummitAI Release.

  2. Upgrade the Proxy application component.

    Important Note

    This will NOT disrupt the existing agent reporting functionality) - This requires SummitAI Proxy service restart and MAY NOT requires server restart.

  3. Perform the Proxy configurations for Agent Upgrade and activate the auto Update feature.

    Figure: Enabling SAM Agent Auto Update

  4. Check the agent version upgrade information (Admin->Reports->Asset Management->Agent Online Status Report).

    Figure: Checking Agent Version

  5. Apply the version filters in the above report and capture the appropriate status of the upgrade activity.

    Figure: Applying Version Filter

  6. Once all the agents are shown with the latest version, on the proxy server use the IISCrypto tool (Refer to Pre-requisite for download Link) to disable the TLS 1.0/1.1 Protocol Suites and enforce TLS 1.2.

    To disable TLS 1.0/1.1 and enable TLS 1.2 using the TLS registry settings, refer this link.

    1. Disable TLS 1.0/1.1 from Server Protocols and Client Protocols as shown in the following figure.

      Figure: Disabling TLS1.0/1.1

    2. Enable TLS 1.2 protocol and select Reboot. Click Apply to enforce the usage of TLS 1.2 protocol.

      Figure: Enabling TLS1.2 and Rebooting Application

Functionality Assumptions

Frequently Asked Questions (FAQs)

QuestionAnswer

What happens if I continue to use the current version of agent?

  • SummitAI Agents will continue to work as expected.
  • Agents and Proxy will not be TLS1.2 compliant.
Currently, I am in ALPS SP1 HF 01, should I upgrade immediately?
  • Yes you can plan for the upgrade of the agent to TLS 1.2 compliant agent.
Is this applicable to on-cloud and on-premises customers?Yes, it is applicable to both On-Cloud & On-Premise hosted customers.

Will my functionality get impacted because of this TLS 1.2 agent upgrade today or after Denali SP3 release?

No, we do not expect any impact to Agent functionality.
What happens if I have combination of unsupported Operating systems such as Windows Serve 2008 or lower, Windows XP or lower in my infrastructure estate?
  • We DO NOT recommend for immediate transition to TLS 1.2 agents till the operating systems are transitioned to Windows 7 SP1 or above and Windows 2008 R2 and above.
What does SummitAI recommend for TLS Upgrade?
  • If there is a business emergency & all the stated pre-requisites are met, you can plan for the transition immediately.

We will upgrade now for TLS 1.2 compliant as an immediate requirement and what happens to my future agent upgrades?

  • Generally, you may NOT require upgrading asset agents very often unless there is a P1/Major incident associated to your current agent version.
  • Asset agents are tightly coupled to respective SummitAI Major version and needs only upgrade if you are upgrading your entire SummitAI Application suite to next major version.
  • If you are upgrading your asset agents along with the Major version (released Post Denali SP3 or higher) should not have any impact on the TLS1.2 compliance.

What happens if there is a confirmed P1/Major Bug on Asset Agent reported before Denali SP3 release and I have upgraded to TLS 1.2 Compliant agent? 

SummitAI will provide the hotfix on the TLS 1.2 agents supported version only without any Major version upgrade dependency.

What happens if there is a Lower Priority Bug on Asset Agent reported before Denali SP3 release and I have upgraded to TLS 1.2 Compliant agent?SummitAI will provide the hotfix as per the standard release cycle on the Default TLS 1.2 agent supported software which may requires you to upgrade your SummitAI Proxy application as a minimum requirement.

What happens when we have TLS 1.3 version?

Our Agents released after Denali SP3 will be automatically compliant to TLS version 1.3.

Appendix

Supported .NET Framework 4.5   

Operating System

Supported editions

.NET Framework 4.5

Windows Vista SP2+

32-bit and 64-bit

Supported

Windows 7 SP1+

32-bit and 64-bit

Supported

Windows Server 2008 SP2 or Higher

32-bit and 64-bit

Supported

Supported Desktop Operating System 

Operating System Name

TLS 1.0

TLS 1.1

TLS 1.2

Windows 7 SP1

Windows 8

Partial
[See Note 1 below]

Partial
[See Note 1 below]

Windows 8.1

Windows 10

Important Note 1

For Windows 8: TLS 1.1 and TLS 1.2 can be enabled by following the guidelines found here for more information. 

Supported Server Operating System 

Operating System Name

TLS 1.0

TLS 1.1

TLS 1.2

Windows Server 2008 SP2 with Windows update installed

Windows Server 2008 R2

Windows Server 2012

Partial
[See Note 2]

Partial
[See Note 2]

Windows Server 2012 R2

Windows Server 2016

Important Note 2

For Windows Server 2012: TLS 1.1 and TLS 1.2 can be enabled by following the guidelines found here for more information. 

Supported Microsoft .NET Libraries 

.NET Libraries Name

TLS 1.0

TLS 1.1

TLS 1.2

.NET 4.6 and higher

       

       

.NET 4.5 to 4.5.2

Partial

[See Note 3]

Partial

[See Note 3]

.Net 4.0

Partial

[See Note 4]

.Net 3.5 and below

Important Note 3

For .NET 4.5 to 4.5.2: TLS 1.1 and TLS 1.2 can be enabled by following either one of the two options indicated below: Option 1:.NET applications may directly enable TLS 1.1 and TLS 1.2 in their software code by setting System.Net.ServicePointManager.SecurityProtocol to enable SecurityProtocolType.Tls12 and SecurityProtocolType.Tls11. The following C# code is an example:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;


Important Note 4

To enable TLS 1.2 by default, it is possible to install .NET Framework 4.5, or a newer version, and set the SchUseStrongCrypto DWORD value in the following two registry keys to 1. If they do not exist, create them.
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Those registry keys, however, may enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. We recommend testing this change before deploying it to your production servers.

Supported Cipher Suites 

The Schannel supports the following Cipher Suites for TLS 1.2,1.1, and 1.0. The Cipher Suites are listed in the default order in which these are chosen.

  • TLS_RSA_WITH_RC4_128_MD5


  • TLS_RSA_WITH_RC4_128_SHA


  • TLS_RSA_WITH_3DES_EDE_CBC_SHA


  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA


  • TLS_RSA_WITH_DES_CBC_SHA


  • TLS_DHE_DSS_WITH_DES_CBC_SHA


  • TLS_RSA_EXPORT1024_WITH_RC4_56_SHA


  • TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA


  • TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA


  • TLS_RSA_EXPORT_WITH_RC4_40_MD5


  • TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5


  • TLS_RSA_WITH_NULL_MD5


  • TLS_RSA_WITH_NULL_SHA

Reference article: https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites 

For Microsoft Windows 10: version 1903, 1909, and 2004 the list of cipher suites enabled and its priority (strong to weak), please refer the following article.

https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-10-v1903