Configure TLSv1.3

Remote Control version 10.1.0 includes support for Transport Layer Security (TLS) version 1.3.

TLSv1.3 Protocol Support
By default, Remote Control components at version 10.1.0 operate in backward compatibility mode. In this mode of operation, components at version 10.1.0 and earlier versions can operate with no disruption. When the connection is established between 2 components at version 10.1.0, the TLSv1.3 protocol is used. Otherwise, the TLSv1.2 protocol is used.
When planning to upgrade to version 10.1, it is recommended to upgrade the controllers first if the environment is configured in FIPS mode. If the environment is not configured in FIPS, there are no requirements on the order of upgrading the components.
Once all product components are updated to version 10.1.0 or in case you are deploying a brand new Remote Control environment from scratch, it is possible to configure the product to operate in TLSv1.3 only mode. In this mode of operation, the only possible connection protocol between components is TLSv1.3. Any connection attempts involving a component at an older version will result in a failure.
Make sure all components are at the 10.1.0 level before you follow the activation procedure indicated in the following pages. For Managed targets, you can use the newly added report available in the Remote Control Server named "Targets not capable of TLSv1.3" that is available from the Report Menu -> Standard Reports. Ensure no targets are listed from this report before activating TLSv1.3 only mode in a Managed environment. It is also possible to use the Remote Control Analysis from the BigFix Console to verify the version of the installed components.
The Remote Control Analysis "#4 - Remote Control Installation and Security Options" includes a new property named "TLSv1.3 Only" that indicates if the target is currently operating in this mode of operation. The value of this property depends on the version of the installed target and the target configuration.
Note: If you enable TLSv1.3 only mode and there are still components at pre-10.1.0 version in the environment, an attempt to establish a session with those components will result in a failure. The exact extent and symptom of such failure will vary depending on the session type, timings, etc.
Note: If you enable the TLSv1.3 only mode on a target at a version earlier than 10.1.0, the target will enter an idle not working state as it is not able to follow the constraint. To recover the target, you need to upgrade it to version 10.1 or revert the TLSv1.3 only mode.
Note: The IBM Java JCE FIPS 140-2 Cryptographic Module included in the Remote Control Server does not support the TLSv1.3 protocols. This implies that in a Managed Mode environment configured in FIPS mode, it is not possible to operate the product in a TLSv1.3 only mode. In a Remote Control version 10.1.0 environment configured in FIPS, the connections between Components will always occur using FIPS certified providers. When the connection occurs between Target, Controller, and Brokers, the connection uses the TLSv1.3 protocol. When the connection occurs between the components and the Remote Control Server, the connection uses the TLSv1.2 protocol.
Enable TLSv1.3 Only Mode in Managed Mode
In managed mode, the Controller receives the indication to operate in TLSv1.3 only mode from the Remote Control server with an argument in the .trcjws file at session start time.
The target receives the information to operate in TLSv1.3 only mode from the Remote Control server at call home time. It is also possible to configure this mode of operation from the BigFix Console generating a target configuration wizard.
The Remote Control server and Brokers are configured manually.
The Gateways do not require any configuration.
There is no specific order on what component to configure first.
Configure the Broker to operate in TLSv1.3 Only Mode
In version 10.1.0, provides those new properties that are used to control the allowed protocol. Those properties are located in the trc_broker.properties file.
For the connection between the Broker and the Server
  • ServerTLS12 = yes
  • ServerTLS13 = yes
For all the other connections, both incoming and outgoing
  • DefaultUseTLS12 = yes
  • DefaultUseTLS13 = yes
Optional for specification at the connection prefix level
  • prefix.UseTLS12 = yes
  • prefix.UseTLS13 = yes
By default, at version 10.1.0, the broker will allow both protocols. To use TLSv1.3 only mode, specify "ServerTLS12 = no" and "DefaultUseTLS12 = no" in the trc_broker.properties.
Note: A Broker upgrade may overwrite the existing trc_broker.properties file. Make a backup copy of the trc_broker.properties file before proceeding with the upgrade. After the upgrade, review and update your broker configuration. Remove any existing DefaultTLSCipherList, DefaultHTTPSCipherList, ServerTLS*, and *UseTLS* properties. This will ensure that the Broker operates with version 10.1.0 configuration. To enable TLSv1.3 mode only, add "ServerTLS12 = no" and "DefaultUseTLS12 = no" in the trc_broker.properties file.
Configure the Server to operate in TLSv1.3 Only Mode
  1. Edit the ssl.xml and copy the sslProtocol and enabledCiphers from the commented section to the ssl section and restart the Remote Control server service.
    <ssl id="defaultSSLConfig"  
 sslProtocol="TLSv1.3,TLSv1.2"  
 enabledCiphers="TLS_AES_256_GCM_SHA384.... " 
 />
<!--  To run the server in TLS 1.3 Only mode use the following settings in the ssl section above
 sslProtocol="TLSv1.3"  
 enabledCiphers="TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256" 
 -->
    The ssl.xml file is in the following folder:
    Linux®
    <Installation_directory>/wlp/usr/servers/trcserver/ssl.xml
    Windows®
    <Installation_directory>\wlp\usr\servers\trcserver\ssl.xml
  2. Set the enforce.TLSv13.only property to "true" in the common.properties file.

    From the Admin menu of the Remote Control server web interface, select Edit Properties Files and select the common.properies from the drop-down menu. Then click Submit and From the Admin menu, select Reset Application.

Note: Changes performed to the product xml files are not persisted during the Server upgrade. Before a Server upgrade, copy those files in a folder outside of the wlp tree and restore such copy after the upgrade.
Note: It is not required to activate the TLSv1.3 protocol on the connection between the Remote Control Server and the Database Server when the server is configured to operate in TLSv1.3 only mode. If you desire to enable the TLSv1.3 protocol also for this connection, please refer to your Database vendor documentation on how to configure the Database Server and the corresponding JDBC driver. The JDBC driver configuration is stored in the file named database.xml in the same folder where ssl.xml is.
Enable TLSv1.3 Only Mode in Peer to Peer Mode
In Peer to Peer mode, the TLSv1.3 only mode is enforced by configuring the target.
Once the targets are updated to version 10.1.0, you use the BigFix Console Remote Control Target Configuration Wizard to create a configuration task that will set the property TLSV13Only to "true".
The Configuration dialog of the Controller contains an indication of the protocol configuration of the Controller. When the Controller operates in Peer to Peer mode, it is possible to change this setting and set the protocol as TLSv1.3.