To ensure the secure use of ZENworks, from the ZENworks 2020 Update 2 release onwards, ZENworks will only support the latest version of TLS (TLSv1.2).
For a new installation: Only TLSv1.2 is supported, by default. Hence, users need to ensure that the devices in the zone support TLSv1.2. To enable support for the devices, see Securing Managed Devices.
For an upgraded zone: As there might be older devices in the zone, which do not support TLSv1.2, the previously supported protocols are retained. After upgrading the devices to the latest version of Windows, the previously supported protocols can be disabled by the administrator, by using the relevant configure actions. As a best practice it is recommended to first disable the older ports on the devices, then the Satellite Servers and finally the Primary Servers. This will ensure that the communication between the devices and the servers is not broken. To enable TLSv1.2 support for older devices, you need to either upgrade the device to the latest OS version or you need to apply the required hot fixes, and configure the required registry keys.
To identify the supported protocols in the zone, perform the following steps:
Run the following query in the database.: select * from zopaquedata where name='zenps.allowed.tlsversions';
(Conditional) If the TLSv1.2 entry is present in the database, locate the server.xmlfile on the Primary Servers and confirm if the file includes the following value: sslEnabledProtocols="TLSv1.2":
On Windows Primary Servers: %ZENSERVER_HOME%\services\zenserver\conf
On Linux Primary Servers: /opt/microfocus/zenworks/share/tomcat/conf
If the query does not return any value, it indicates that the zone supports the traditional set of protocols (TLSv1, TLSv1.1, TLSv1.2, SSLv2Hello) and any new Primary Server installed in the zone will support the same protocols.
To secure the communication between Windows devices and the ZENworks Primary Servers, you need to enable support for TLSv1.2 on the Windows devices:
To enable support for the TLSv1.2 protocol on Windows 7 SP1 devices.
Apply the Microsoft Hotfix based on the system architecture.
Install the Microsoft Dot Net version 4.7+.
Add the following registry keys to force the agent to communicate over ‘TLSv1.2’.
For 32-bit devices:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
For 64-bit devices:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001
NOTE:With these Registry Key changes, the operating system will communicate only over TLSv1.2, and it will restrict communication through the older protocols. This might cause some applications, which do not use TLS v1.2 for communication, to not work properly.
To enable TLSv1.2 on Windows 8 or higher devices, you need to install the Microsoft Dot Net version 4.7+
To ensure that only TLSv1.2 is supported on Satellite Servers, perform the following steps:
On Windows: In the registry under HKLM\Software\Novell\ZCM, create a key named ZenJettyServer.ExcludedProtocolsand specify the values as TLSv1, TLSv1.1. After creating the registry key, stop the Novell ZENworks Jetty Server service, run the zac ref command, and then restart the service.
On Linux: In the xplatzmd.properties file, add ExcludedProtocols=TLSv1,TLSv1.1 and restart the agent service.
NOTE:Specify the value as TLSv1, instead of TLSv1.0. Else it might not work on Linux or Java-based programs.
To drop support for older SSL/TLS protocols, you need to run two configure actions that will persist the information in the database and any new Primary Server additions to the zone will inherit these settings. To enable TLSv1.2 as the default protocol for upgraded ZENworks 2020 Update 2 Primary Servers, you need to perform the following steps:
Run the SetTLSVersionConfigureAction configure action on any one Primary Server in the zone. For example, microfocus-zenworks-configure -c SetTLSVersionConfigureAction.
Run the UpdateTLSVersionConfigureAction configure action on all the Primary Servers in the zone. After running the configure action, restart the ZENworks server services. For example, microfocus-zenworks-configure -c UpdateTLSVersionConfigureAction.
This configure action will modify the attribute sslEnabledProtocols in the server.xml with the value ‘TLSv1.2’.
Restart the Microfocus ZENworks Server service on Linux and Windows by running the configure action:
microfocus-zenworks-configure -c Start
After running the command, under Action, select Stop.
The SetTLSVersionConfigureAction updates the database with the TLSv1.2 version and the UpdateTLSVersionConfigureAction updates the file system. Restart ZENworks server services after running the configure action. After running the SetTLSVersionConfigureAction action on the first Primary Server, when a new Primary Server is added, by default, it will support the protocols that are supported by the first Primary Server, which in this case will be TLSv1.2.
NOTE:Older security protocols TLSv1 and TLSv1.1 can be enabled on primary servers only if TLS is upgraded prior to ZENworks 2020 Update 2 version or if the older security protocols were enabled in the ZENworks 2020 Update 2 installed Primary Server.
To enable the older security protocol on Primary Servers, perform the following steps:
Stop the ZENworks services (ZENmonitor, ZENAdminMgmt, ZENClientMgmt, ZENworksApiGateway and ZENloader).
Open the admin-mgmt server.xml file for the operating system on which the Primary Server is running. The admin-mgmt server.xml file is available in the following location:
Windows: %ZENSERVER_HOME%\services\zenadmin-mgmt\conf
Linux: /etc/opt/microfocus/zenworks/tomcat-conf/zenadmin-mgmt/
To disable TLSv1.3 protocol, look for the NIO connector for port 7443(default port) section and comment the complete connector section:
<Connector port="7443" maxHttpHeaderSize="8192" maxThreads="200" minSpareThreads="25" maxSpareThreads="75" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/etc/opt/microfocus/zenworks/security/server.keystore" keystorePass="2979e559e89db2fb6e5a17fbb25dd778" keyAlias="tomcat" maxPostSize="-1" ciphers="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" sslEnabledProtocols="TLSv1.2,TLSv1.3" allowHostHeaderMismatch="true" useServerCipherSuitesOrder="true" />
To enable the TLSv1 and TLSv1.1, look for the commented NIO connector for the port 7443 (default port) section and uncomment the connector section.
<!--<Connector port="7443" maxHttpHeaderSize="8192" maxThreads="200" minSpareThreads="25" maxSpareThreads="75" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/etc/opt/microfocus/zenworks/security/server.keystore" keystorePass="2979e559e89db2fb6e5a17fbb25dd778" keyAlias="tomcat" maxPostSize="-1" ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256" sslEnabledProtocols=" TLSv1,TLSv1.1,TLSv1.2" allowHostHeaderMismatch="true" />-->
Save the file.
Open the client-mgmt server.xml file for the operating system on which the Primary Server is running. The admin-mgmt server.xml file is available in the following location:
Windows: %ZENSERVER_HOME%\services\zenclient-mgmt\conf
Linux: /etc/opt/microfocus/zenworks/tomcat-conf/zenclient-mgmt/
To disable TLSv1.3 protocol, look for the NIO connector for port 443 (default port) and 2645 sections.
For ZENworks api-gateway this port is changed to 7491.
<Connector SSLEnabled="true" acceptCount="1000" allowHostHeaderMismatch="true" ciphers="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" clientAuth="false" connectionTimeout="60000" disableUploadTimeout="true" enableLookups="false" keyAlias="tomcat" keystoreFile="/etc/opt/microfocus/zenworks/security/server.keystore" keystorePass="2979e559e89db2fb6e5a17fbb25dd778" maxHttpHeaderSize="16384" maxPostSize="-1" maxSpareThreads="75" maxThreads="1000" minSpareThreads="25" port="7491" protocol="org.apache.coyote.http11.Http11NioProtocol" relaxedPathChars="[]|{}^\`"<>" relaxedQueryChars="[]|{}^\`"<>" scheme="https" secure="true" sslEnabledProtocols="TLSv1.2,TLSv1.3,SSLv2Hello" sslProtocol="TLS" useServerCipherSuitesOrder="true"/>
<Connector SSLEnabled="true" acceptCount="100" allowHostHeaderMismatch="true" ciphers="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" clientAuth="false" disableUploadTimeout="true" enableLookups="false" keyAlias="tomcat" keystoreFile="/etc/opt/microfocus/zenworks/security/server.keystore" keystorePass="2979e559e89db2fb6e5a17fbb25dd778" maxHttpHeaderSize="16384" maxPostSize="-1" maxSpareThreads="75" maxThreads="100" minSpareThreads="25" port="2645" protocol="org.apache.coyote.http11.Http11NioProtocol" relaxedPathChars="[]|{}^\`"<>" relaxedQueryChars="[]|{}^\`"<>" scheme="https" secure="true" sslEnabledProtocols="TLSv1.2,TLSv1.3,SSLv2Hello" sslProtocol="TLS" useServerCipherSuitesOrder="true"/>
Comment both NIO connector sections.
To enable the TLSv1 and TLSv1.1, look for the commented NIO connector for the port 443 (default port) and 2645 sections which has sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello", uncomment both the NIO connector sections.
After uncommenting, update the port from 443 (default port) to the new port 7491 for the ZENworks api-gateway.
Save the file.
Open the API Gateway application.properties file. The file is available in the following location:
Windows: %ZENSERVER_HOME%\ services\zen-api-gateway\conf
Linux: /etc/opt/microfocus/zenworks/zen-api-gateway
Update the server.ssl.enabled-protocols property with the required TLS version.
Example: To enable TLSv1.1, add a separated list of enabled protocols.
server.ssl.enabled-protocols=TLSv1.2,TLSv1.3,SSLv2Hello,TLSv1.1
Start the ZENworks services again.
By default, protocols SSLv3, TLS1, and TLSv1.1 are excluded in Satellite Servers and are not supported. Only TLSv1.2 and TLSv1.3 are supported.
To enable TLSv1 and TLSv1.1, perform the following steps:
On Windows: In the registry under HKLM\Software\Novell\ZCM, create a key named ZenJettyServer.ExcludedProtocols and specify the values as SSLv3 so that only SSLv3 will be excluded. After creating the registry key, stop the Novell ZENworks Jetty Server service, run the zac ref command, and then restart the service.
On Linux: In the xplatzmd.properties file, add ExcludedProtocols=SSLv3 so that only SSLv3 will be excluded and restart the agent service.