TLS 1.2 is the secure way of communication suggested by Microsoft with best-in class encryption. SSL and early TLS are not considered strong cryptography and cannot be used as a security control. Microsoft has added official support for TLS1.2 security protocols in SCOM 2012 R2 with UR14 and SCOM 2016 with UR4 and later version of SCOM.
You can find more details in the System Center 2016 TLS1.2 Configuration article.
Please find the below process to enable TLS1.2
How to enable TLS1.2 in all across SCOM infra
Before you start, please make sure your Windows server is up to date with latest Windows and security patches.
- Install SQL Server 2012 Native Client 11.0 on all management servers and the Web console server.
- Install .NET Framework 4.6 on all management servers, gateway servers, Web console server, and SQL Server hosting the Operations Manager databases and Reporting server role.
- Install the Required SQL Server update that supports TLS 1.2.
- Install ODBC 11.0 or ODBC 13.0 on all management servers and SCOM SQL servers.
- For System Center 2012 R2 – Operations Manager, install Update Rollup 14.
Kevin is having a great article about the UR14 update, please follow the same and update UR14 for SCOM 2012 R2.
https://kevinholman.com/2017/11/28/ur14-for-scom-2012-r2-step-by-step/
6. Configure Windows to only use TLS 1.2 in all management servers, gateway servers, Web console server, and SQL Server hosting the Operations Manager databases and Reporting server role.
Method: Automatically modify the registry
Run the following Windows PowerShell script in Administrator mode to automatically configure Windows to use only the TLS 1.2 Protocol:
$ProtocolList = @("SSL 2.0","SSL 3.0","TLS 1.0", "TLS 1.1", "TLS 1.2")
$ProtocolSubKeyList = @("Client", "Server")
$DisabledByDefault = "DisabledByDefault"
$Enabled = "Enabled"
$registryPath = "HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\"
foreach($Protocol in $ProtocolList)
{
Write-Host " In 1st For loop"
foreach($key in $ProtocolSubKeyList)
{
$currentRegPath = $registryPath + $Protocol + "\" + $key
Write-Host " Current Registry Path $currentRegPath"
if(!(Test-Path $currentRegPath))
{
Write-Host "creating the registry"
New-Item -Path $currentRegPath -Force | out-Null
}
if($Protocol -eq "TLS 1.2")
{
Write-Host "Working for TLS 1.2"
New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null
}
else
{
Write-Host "Working for other protocol"
New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "1" -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "0" -PropertyType DWORD -Force | Out-Null
}
}
}
Exit 0
7. Configure Operations Manager to only use TLS 1.2 in all management servers, gateway servers, Web console server, and SQL Server hosting the Operations Manager databases and Reporting server role..
Run the following Windows PowerShell script in Administrator mode to automatically configure.
# Tighten up the .NET Framework
$NetRegistryPath = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319"
New-ItemProperty -Path $NetRegistryPath -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null
$NetRegistryPath = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319"
New-ItemProperty -Path $NetRegistryPath -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null