Since other types of communications than TLS 1.2 are blocked on my network the master doesn't communicate with the master anymore. How can I setup the BCM Master to communicate with its database server through TLS 1.2? |
In order to allow the BCM Master to communicate with the SQL Server Database: : 1- Verify that the current SQL driver on the master supports TLS 1.2 only SQL Server version 13 and onward drivers correctly handle TLS 1.2 only, if "ODBC Driver 13 for SQL Server" is already available as a choice to create an ODBC connector, this is good to go, e.g: If an older version is installed then download Microsoft® ODBC Driver 17 for SQL Server® from here, as an example, and install it on the BMC Client Management Master system. The version of the SQL Server Database must be compatible as well. Make sure it runs version 13 at the minimum. 2- Update the configuration To modify BMC Client Management configuration there are two possibilities, depending on the current settings in C:\Program Files\BMC Software\Client Management\Master\config\Vision64Database.ini": A- DatabaseType=odbcdirect If in ..\Master\config\Vision64Database.ini "DatabaseType=" is set to "DatabaseType=odbcdirect", then: - Edit ..\Master\config\Vision64Database.ini file in order to replace current driver name with new driver name: This: DatabaseName=Driver={SQL Server};Server=MyServer;Database=MyDatabase
- Replace "{SQL Server}" by the highest version of the SQL Server Database connector installed on the master, e.g: DatabaseName=Driver={ODBC Driver 13 for SQL Server};Server=MyServer;Database=MyDatabase
or
DatabaseName=Driver={ODBC Driver 17 for SQL Server};Server=MyServer;Database=MyDatabase
- Restart the service of the agent on the master B- DatabaseType=ODBC If in ..\Master\config\Vision64Database.ini "DatabaseType=" is set to "DatabaseType=ODBC", then: 1 - In this situation a System DSN has to be recreated or updated in order to use the ODBC Driver 13+ for SQL Server that is installed on the master: - Set the name for the System DSN: The name doesn't really matter but in case something different then current BCM database name or server name is set at this point then information have to be updated in BCM Vision64database.ini in the next steps. Database Server information, such as in "Database Name" and "User Name" can be retrieved from Vision64Database.ini, respectively the "DatabaseName=" and "User=" parameters. Note: In case if there is any specific port used for the master SQL server then port must be mentioned in data source string like this: Be sure to set the same identification method as for the Database (default mode is SQL Server Authentication). In this example, the login is 'sa' but the default one is 'bcmdbuser': Be sure to change default database to the current BCM database (default one id 'bcmdb') Then use default parameters: And finally verify that the new connection is working: 2- If a new DSN was created then "C:\Program Files\BMC Software\Client Management\Master\config\Vision64Database.ini" has to modified in order to use the new ODBC system DSN: - first backup the current Vision64Database.ini - update the file Vision64Database.ini as following : DatabaseType=ODBC
DatabaseName=bcmdb17 Where 'bcmdb17' must be replaced with the name that was set into the new ODBC system DSN (third screenshot from the top)
- save this file- restart BMC Client Management Master service. Note: At the time of writing of this KA, the following registry keys had to be set to only enable TLS 1.2 on the system itself: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000 "DisabledByDefault"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000 "DisabledByDefault"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000000 "DisabledByDefault"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 |