KBI 311797 Disabling TLS 1.0/TLS 1.1 In Argent Products

Version

All Argent Products

Date

Monday, 2 March 2020

Summary

Customers are compelled to upgrade to TLS 1.2 for secure communication because of security vulnerabilities that have been reported against SSL and earlier versions of Transport Layer Security (TLS).

Because of this, customers must disable TLS 1.0 and TLS 1.1 and only allow TLS 1.2 in order to comply with requirements such as PCI compliance.

Technical Background

The main issue is centered around Argent products’ connectivity to the backend database.

Before disabling TLS 1.0 and 1.1, customers need to first ensure that the current database can support TLS 1.2.

The latest Argent products have been updated to support TLS 1.2 connectivity to a SQL Server backend database.

Resolution

HTTP Connections

  1. Argent Web Products are installed by default without SSL support.
  2. Customers may enable HTTPS (HTTP over SSL) according to the following KBI:
    KBI 311048 How To Configure HTTPS For Argent Commander
  3. The IIS web server can further be hardened by disabling any TLS 1.0 and TLS 1.1 connections in the Group PolicyTo do so, navigate to the following policy:
    Computer Configuration > Administrative Templates > Network > SSL Configuration Settings

    Ensure that all enabled cipher suites are TLS 1.2 and above.
    The following Microsoft article details the various versions of the cipher suites used in Microsoft products:
    https://docs.microsoft.com/en-gb/windows/win32/secauthn/cipher-suites-in-schannel

SMTP Connections

Argent Advanced Technology 5.1A-1610-A and above comes with added options for configuring SMTP servers to support SSL and TLS protocols.

For more information, refer to following KBI:
KBI 311474 New Feature: Support SMTP And POP3 Servers Using TLS And SSL Protocols

Backend Database Connection

Depending on the database version and service pack level, customers may need to apply a hotfix or an update to enable TLS 1.2 support on a Microsoft SQL Server database.

The following Microsoft article describes this in detail:

TLS 1.2 support for Microsoft SQL Server
https://support.microsoft.com/en-sg/help/3135244/tls-1-2-support-for-microsoft-sql-server

  1. Apply the necessary updates and hotfixes for TLS 1.2 support from the above Microsoft article.
  2. Download the updated SQL Server Native Client drivers based on your SQL Server version:
    SQL Server Native Client 10.0 for SQL Server 2008/2008 R2 (x86/x64/IA64)
    https://www.microsoft.com/download/details.aspx?id=57606
    SQL Server Native Client 11.0 for SQL Server 2012/2014 (x86/x64)
    https://www.microsoft.com/download/details.aspx?id=50402
  3. Download the updated SQL Server ODBC drivers based on your SQL Server version:
    For SQL Server 2005 to 2014 – Microsoft® ODBC Driver 11 for SQL Server®
    https://www.microsoft.com/en-us/download/details.aspx?id=36434
    For SQL Server 2008 to 2017 – Microsoft® ODBC Driver 17 for SQL Server®
    https://www.microsoft.com/en-us/download/details.aspx?id=56567
  4. Install the Native Client and ODBC drivers on all Argent Servers that need to connect to the backend database.
  5. Test and ensure that the newly installed ODBC drivers can connect to the backend SQL Server.To test the new ODBC driver, create a temporary System Data Source in Microsoft ODBC Data Source Administrator 32 Bit & 64 Bit:
    Navigate to Control Panel > All Control Panel Items > Administrative Tools

    Start the ‘ODBC Data Sources (XX-bit)’ tool:



    Click For Full Size

    Create a new temporary Data Source which points to the current Argent backend database:



    Click For Full Size

    Note: Only proceed if the connectivity test with this driver is successful.

Argent AT

  1. Ensure that the backend database supports TLS 1.2 (see above).
  2. Upgrade to Argent Advanced Technology 5.1A-1807-A or above, if you are using an earlier version.
  3. Check the current ‘DEFAULT_SQLSERVER_DRIVER’ registry key in:
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Argent\COMMON



    Click For Full Size

    The value of the registry key, which corresponds with the name of the installed ODBC driver that you want to use, must match one of the following:

    ODBC Driver 11 for SQL Server
    ODBC Driver 13 for SQL Server
    ODBC Driver 17 for SQL Server

  4. Test the new settings by starting the Argent AT GUI.
  5. For new Argent AT installations, select the compatible ODBC driver during installation instead of the default ‘SQL Server’.

Argent Commander

  1. Upgrade to Argent Commander 5.0A-1809-B and above if you are using an earlier version.
  2. The updated Argent Commander inherits the ODBC driver setting from Argent AT; therefore, it is important to ensure that Argent AT is working correctly with the TLS 1.2 ODBC driver before upgrading Argent Commander.
  3. Customers may notice that after upgrading Argent Commander to a version that supports TLS 1.2, the main page takes a long time to load (around one minute) and the following error is also seen in the logs:*** ERROR *** Failed to execute Active Directory queryThis may be due to Argent Commander using different ports to connect to the Domain Controller for user authentication.Ensure that TCP ports 636 (LDAP over SSL) and 3269 (Global Catalog over SSL) are open.
  4. For more information on upgrading Argent Commander, please see the following KBI:
    KBI 311705 Enhancement: Argent Commander Now With TLS 1.2 Support

Argent Reports

  1. Upgrade to Argent Reports 1901-A and above if you are using an earlier version.
  2. The updated Argent Reports inherits the ODBC driver setting from Argent AT; therefore, it is important to ensure that Argent AT is working correctly with the TLS 1.2 ODBC driver before upgrading Argent Reports.
  3. For more information please see the following KBI:
    KBI 311720 Enhancement: Argent Reports Now With TLS 1.2 Support

Argent Job Scheduler

  1. Argent Job Scheduler uses its own ODBC settings to connect to the backend database.
  2. After installing the compatible drivers and testing the connectivity, proceed to change the ODBC Data Source Name in Argent Job Scheduler.
  3. For more information please see the following KBI:
    KBI 311692 ODBC Connection Failure After Enabling TLS v1.2 And Disabling TLS v1.0
    Note: Customers should test this change on a UAT or Test environment before proceeding.


     If a customer does not have a test environment, please contact an Argent Account Manager.