TLS 1.2 is the secure way of communication suggested by Microsoft with best-in class encryption. SSL and early TLS are not considered strong cryptography and cannot be used as a security control. Microsoft has added official support for TLS1.2 security protocols in SCORCH 2012 R2 with UR14 and SCORCH 2016 with UR4 and later version of SCORCH.

You can find more details in the System Center 2016 TLS1.2 Configuration article.

We will discuss here about the following configuration in SCORCH.

How to enable TLS1.2 in all across SCORCH infra

  • Install SQL Server 2012 Native Client 11.0 on all      Orchestrator servers (Runbook server, Runbook designer, Deployment Manager server, management server, SQL server, Runbook tester server, Orchestrator console).

  • Install .NET Framework 4.6 on all Orchestrator servers (Runbook server, Runbook designer, Deployment Manager server, management server, SQL server, Runbook tester server, Orchestrator console).

  • Install the Required SQL Server update that supports TLS 1.2.

  • Install ODBC 11.0 or ODBC 13.0 on all Orchestrator servers (Runbook server, Runbook designer, Deployment Manager server, management server, SQL server, Runbook tester server, Orchestrator console).

  • For System Center 2012 R2 – Orchestrator, install Update Roll up 14. 

 

https://support.microsoft.com/en-in/help/4047356/update-rollup-14-for-system-center-2012-r2-orchestrator

 

After applying the UR14, you need to apply the below hotfix. (there is a known issue and documented in our link for UR14 that  RunbookServerMonitorService.exe will crash and not able to connect to the Database after applying UR14. This patch is tested only for windows 2012 R2 and later version of OS.

 

https://www.microsoft.com/en-us/download/details.aspx?id=56372

 

Instructions:

a. Extracted the file.

b. Stop Orchestrator Management Service and Orchestrator      Remoting service

c. Save a copy of aspt.exe and      RunbookServerMonitorService.exe present at <Installation      Directory>\Program Files (x86)\Microsoft System Center 2012      R2\Orchestrator\Management Server

d. Copy aspt.exe and RunbookServerMonitorService.exe which      are extracted from Hotfix to <Installation Directory>\Program Files      (x86)\Microsoft System Center 2012 R2\Orchestrator\Management Server

e. start Orchestrator Management Service and Orchestrator      Remoting service

f. Configure Windows to only use TLS 1.2 in all Orchestrator servers     (Runbook server, Runbook designer, Deployment Manager server, management      server, SQL server, Runbook tester server, Orchestrator console).

6. For System Center 2016 Orchestrator, install update roll up up 4 or later.

Method: Automatically modify the registry

Run the following Windows PowerShell script in Administrator mode to automatically configure Windows to use only the TLS 1.2 Protocol:

 

$ProtocolList  = @("SSL 2.0","SSL 3.0","TLS 1.0", "TLS 1.1", "TLS 1.2")

$ProtocolSubKeyList = @("Client", "Server")

$DisabledByDefault = "DisabledByDefault"

$Enabled = "Enabled"

$registryPath = "HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\"

foreach($Protocol in $ProtocolList)

{

   Write-Host " In 1st For loop"

foreach($key in $ProtocolSubKeyList)

{  

 $currentRegPath = $registryPath + $Protocol + "\" + $key

 Write-Host " Current Registry Path $currentRegPath"

 if(!(Test-Path $currentRegPath))

 {

     Write-Host "creating the registry"

  New-Item -Path $currentRegPath -Force | out-Null   

 }

 if($Protocol -eq "TLS 1.2")

 {

     Write-Host "Working for TLS 1.2"

  New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null

  New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null

 }

 else

 {

     Write-Host "Working for other protocol"

  New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "1" -PropertyType DWORD -Force | Out-Null

  New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "0" -PropertyType DWORD -Force | Out-Null

 } 

}

}

Exit 0

 

Configure Operations Manager to only use TLS 1.2 in all Orchestrator servers     (Runbook server, Runbook designer, Deployment Manager server, management      server, SQL server, Runbook tester server, Orchestrator console).

Run the following Windows PowerShell script in Administrator mode to automatically configure.

 

# Tighten up the .NET Framework

$NetRegistryPath = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319"

New-ItemProperty -Path $NetRegistryPath -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null

$NetRegistryPath = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319"

New-ItemProperty -Path $NetRegistryPath -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null

 

https://support.microsoft.com/en-in/help/4055768/tls-1-2-protocol-support-deployment-guide-for-system-center-2012-r2

 

  1. After the Orchestrator updates are installed, reconfigure the Orchestrator database by using the existing database according to these guidelines.

Leave a Reply

Your email address will not be published. Required fields are marked *