1. How to set up the BCM Master to communicate with its database server through TLS 1.2?

2. Since other types of communications than TLS 1.2 are blocked on the network the master doesn't communicate with the master anymore.

In order to allow the BCM Master to communicate with the SQL Server Database: :

1. Verify that the current SQL driver on the master supports TLS 1.2 only:

SQL Server version 13 and onward drivers correctly handle TLS 1.2 only, if "ODBC Driver 13 for SQL Server" is already available as a choice to create an ODBC connector, move to step 2.



If an older version is installed then download Microsoft® ODBC Driver 17 for SQL Server® from here, as an example, and install it on the BMC Client Management Master system.

The version of the SQL Server Database must be compatible as well. Make sure it runs version 13 at the minimum.


2. Update the configuration:

To modify BMC Client Management configuration there are two possibilities, depending on the current settings in C:\Program Files\BMC Software\Client Management\Master\config\Vision64Database.ini" :

Method 1: To update the configuration in Vision64database.ini using new ODBC Direct Drivers.

If in ..\Master\config\Vision64Database.ini "DatabaseType=" is set to "DatabaseType=odbcdirect", then:

1.  Edit ..\Master\config\Vision64Database.ini file in order to replace current driver name with new driver name: DatabaseName=Driver={SQL Server};Server=DBServer;Database=DatabaseName

2.  Replace "{SQL Server}" by the highest version of the SQL Server Database connector installed on the master, e.g: DatabaseName=Driver={ODBC Driver 13 for SQL Server};Server=DBServer;Database=DatabaseName 

OR

DatabaseName=Driver={ODBC Driver 17 for SQL Server};Server=DBServerr;Database=DatabaseName

        3. Restart the service of the agent on the master

Method 2: To update the configuration in Vision64database.ini by creating SystemDSN

If in ..\Master\config\Vision64Database.ini "DatabaseType=" is set to "DatabaseType=ODBC", then:

1. In this situation a System DSN has to be recreated or updated in order to use the ODBC Driver 13+ for SQL Server that is installed on the master:


Set the name for the System DSN:



The name doesn't really matter but in case something different than the current BCM database name or server name is set at this point then information has to be updated in BCM Vision64database.ini in the next steps.
Database Server information, such as in "Database Name" and "User Name" can be retrieved from Vision64Database.ini, respectively the "DatabaseName=" and "User=" parameters.

Note:  In case there is any specific port used for the master SQL server then the port must be mentioned in the data source string like this:




Be sure to set the same identification method as for the Database (the default mode is SQL Server Authentication). In this example, the login is 'sa' but the default one is  'bcmdbuser' :



Be sure to change the default database to the current BCM database (default one id 'bcmdb' )



Then use default parameters:



And finally, verify that the new connection is working:



2.  If a new DSN was created then "C:\Program Files\BMC Software\Client Management\Master\config\Vision64Database.ini" has to be modified in order to use the new ODBC system DSN:
- first backup the current Vision64Database.ini
- update the file Vision64Database.ini as following :

DatabaseType=ODBC
DatabaseName=bcmdb17     

Where 'bcmdb17' must be replaced with the name that was set into the new ODBC system DSN (third screenshot from the top)

- save this file
- restart BMC Client Management Master service.


Note:
At the time of writing of this KA, the following registry keys had to be set to only enable TLS 1.2 on the system itself:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000