Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Article Number: 000176913

Disabling TLS 1.0 results in connectivity issues for Dell Management Consoles on Windows Server 2008 R2 and 2012

Summary: Disabling TLS 1.0, Communication issues after Disabling TLS 1.0, Dell management console and TLS 1.0

This article may have been automatically translated. If you have any feedback regarding its quality, please let us know using the form at the bottom of this page.

Article Content

Symptoms

Some Dell management  consoles (e.g., OpenManage Essentials) may experience communication issues with discovered iDRAC 7/8 devices after upgrading their firmware to version 2.40.40.40, or with CMC versions 5.21 (M1000e), 2.2 (VRTX), or 1.4 (FX2) and higher.

In accordance with recently discovered vulnerabilities with the Transport Layer Security (TLS) 1.0 cryptographic protocol, disabling TLS 1.0, then enabling TLS 1.1 and 1.2 is the best method of addressing security concerns. Beginning with iDRAC firmware version 2.40.40.40 and higher, TLS version 1.0 will be disabled by default. CMC devices beginning with version 5.21 and higher for M1000e, 2.2 and higher for VRTX, and 1.4 and higher for FX2 will only have TLS 1.2 enabled. With this change, one must ensure that their operating systems, remote devices, and web browsers fully support TLS 1.1 and 1.2, or communication issues can occur with Dell devices and within the following Dell management consoles: 

  • OpenManage Essentials (OME)
  • Dell LifeCycle Controller Integration (DLCI) for SCCM
  • Dell Server Management Pack (DSMP) for SCOM
  • Dell LifeCycle Controller Integration (DLCI) for SCVMM
  • iDRAC Web GUI
  • RACADM CLI
  • Any other client that utilizes secure communication protocols (SSL, WSMAN, etc.)
Note: For more information on this vulnerability, refer to the Department of Homeland Security Vulnerability Notes Database article "VU#864643 - SSL 3.0 and TLS 1.0 allow chosen plaintext attack in CBC modes". SLN302365_en_US__1iC_External_Link_BD_v1

Resolution

Table of Contents:

  1. Verifying Device TLS Support
  2. Preparation for Enabling TLS 1.1/1.2
  3. iDRAC and Supporting Tools TLS Support
  4. Modifying TLS setting on iDRAC and CMC

Verifying Device TLS Support

The most currently released browsers and operating systems already support TLS 1.1 and 1.2, and come with them enabled by default. However, there are some older Windows operating systems and Internet Explorer browsers that either do not support TLS 1.1 and 1.2, or support them but do not have them enabled by default.

Verifying your Operating Systems

Refer to Table 1 to help you identify which Windows operating systems will be affected by this change:

Operating System TLS 1.0 TLS 1.1 TLS 1.2
Windows Vista Supported     Not Supported Not Supported
Windows Server 2008 Supported Not Supported Not Supported
Windows 7 Supported Supported, disabled by default    Supported, disabled by default   
Windows Server 2008 R2 Supported Supported, disabled by default Supported, disabled by default
Windows Server 2012 Supported Supported, disabled by default Supported, disabled by default
Windows 8.1 and Newer Supported Supported Supported
Windows Server 2012 R2 and Newer Supported Supported Supported
Table 1: Operating System Support Matrix
 
Note: For more information on the TLS protocols, refer to Wikipedia article Transport Layer Security. SLN302365_en_US__2iC_External_Link_BD_v1
 

Verifying your Internet Explorer and TLS 1.1 and 1.2 Support

Internet Explorer 8 is no longer supported by Microsoft as of January 12, 2016.
Systems running IE 9 and 10 will need to have TLS 1.1 and/or TLS 1.2 enabled before being able to negotiate at these newer security protocol versions.
Internet Explorer 11 and higher have TLS 1.1 and 1.2 enabled by default.
 
Note: For more information on Internet Explorer support boundaries, refer to the Microsoft Internet Explorer Support Matrix. SLN302365_en_US__2iC_External_Link_BD_v1
 

Verifying your iDRAC/CMC and TLS 1.1 and 1.2 Support

Supported TLS protocols can differ between iDRAC and CMC firmware versions. Use Table 2 below to identify which iDRACs and/or CMCs in your environment will require an upgrade to support TLS 1.1 and 1.2.
 
Firmware Version TLS 1.0 TLS 1.1 TLS 1.2
iDRAC 6 Modular < 3.65 Supported     Not Supported    Not Supported   
iDRAC 6 Modular 3.75+ Supported          Supported Supported
iDRAC 6 < 1.98 Supported Not Supported Not Supported
iDRAC 6 1.99+ Supported Supported Supported
iDRAC 7 < 1.66.65 Supported Not Supported Not Supported
iDRAC 7/8 2.10.10.10 to 2.30.30.30  Supported Supported Supported
iDRAC 7/8 2.40.40.40+ Disabled Supported Supported
CMC M1000e 5.2+ Disabled Disabled Supported
CMC VRTX 2.2+ Disabled Disabled Supported
CMC FX2 1.4+ Disabled Disabled Supported
Table 2: iDRAC and CMC TLS Support Matrix

Dell recommends updating your iDRACs and/or CMCs to the latest firmware to take advantage of the latest features and updates. If your iDRAC or CMC has been identified to NOT support TLS 1.1 and 1.2, visit the Dell Support Site SLN302365_en_US__2iC_External_Link_BD_v1 to download the latest firmware release.

Back to Top

Preparation for Enabling TLS 1.1/1.2

Use the methods below to ensure that your device can fully support TLS 1.1 and 1.2 before disabling TLS 1.0. Failure to so can cause Dell Management consoles like OpenManage Essentials, or DLCI for System Center Configuration Manager to no longer be able to communicate to remote devices that use TLS secure protocol.

Windows Server

Windows Vista and Server 2008

For Windows operating systems that do not support TLS 1.1 or 1.2, one will have to upgrade the operating systems to take advantage of these newer cryptographic protocols.

Windows 7, Server 2008 R2, and 2012

These Windows server operating systems have been identified as supporting TLS 1.1 and 1.2, but both are disabled by default.

Proceed to Microsoft Knowledge Base article "Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows" SLN302365_en_US__2iC_External_Link_BD_v1 and follow the instructions provided to acquire the supported patch and registry changes.

Important: The application of the Microsoft Hot Fix must be accompanied with the required registry changes or the undesired iDRAC state (e.g., Unknown) will persist. Once the registry changes are made you will need to reboot the server.

Windows 8.1 and Server 2012 R2

No changes are needed. TLS 1.1 and 1.2 are already supported and enabled by default.

Internet Explorer

Internet Explorer 9 and 10

For systems running IE 9 or 10, perform the following to enable TLS 1.1 and/or TLS 1.2:

  1. Open the Internet Properties control panel (inetcpl.cpl).
  2. Click Advanced for the Advanced tab.
  3. Under the Settings section, click Use TLS 1.1 and Use TLS 1.2 (Figure 1).

    SLN302365_en_US__6I_Internet-Properties_TLS-1_1and1_2_hs_v1a 
    Figure 1: Security section of Internet Properties
     
    Note: These changes can also be deployed using Group Policies.
    For more information, refer to Microsoft Technet article "Managing Browser Settings with Group Policy Tools". SLN302365_en_US__2iC_External_Link_BD_v1

Internet Explorer 11 and newer

For systems running Internet Explorer 11 or newer, no changes are needed since TLS 1.1 and 1.2 are fully supported and enabled by default.

Back to Top

iDRAC and Supporting Tools TLS Support

If you are running iDRAC 7/8 firmware version 2.40.40.40 or higher or CMC 5.2+(M1000e), 2.2+ (VRTX), or 1.4+ (FX2) you must performing the following below to ensure that your iDRAC/CMC and its supporting tools can communicate properly.

iDRAC Web GUI and RACADM

iDRAC Web GUI and RACADM use the same API that is used in Internet Explorer to securely connect. Use the procedure outlined in the "Preparation for Enabling TLS 1.1/1.2" section of this article to ensure you can connect to the iDRAC after disabling TLS 1.0.

RACADM with System Accounts

If RACADM is being used with system based service accounts (non-local users), some additional registry keys need to be added for TLS 1.1 and 1.2 to function properly. Please see the More information section in the following Microsoft Knowledge Base article: https://support.microsoft.com/en-us/kb/3140245 (Applies to: Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2012)

Note: Some systems may require you to follow the instructions in Microsoft Article 2977292: Microsoft security advisory: Update for Microsoft EAP implementation that enables the use of TLS: October 14, 2014 SLN302365_en_US__2iC_External_Link_BD_v1 before TLS 1.1 and 1.2 are fully enabled.

Back to Top

Modifying TLS setting on iDRAC and CMC

Important: Dell does not recommend enabling TLS 1.0 due to recently discovered vulnerabilities within this cryptographic protocol. However, if your environment requires the use of TLS 1.0 there is a command line (CLI) RACADM method of doing so. Visit the Dell Support Site SLN302365_en_US__2iC_External_Link_BD_v1 to download the latest Dell OpenManage DRAC Tools to acquire RACADM.

Modifying TLS setting on iDRAC 6 firmware 2.90 (Monolithic) or 3.85 (Modular) and higher

Use the following local RACADM command to modify the TLS setting on an iDRAC 6 running firmware 2.90 (Monolithic) or 3.85 (Modular) and higher:

racadm tlsEncryptionStrength set 1 --webserverrestart

NOTE: --webserverrestart parameter is optional

For remote iDRACs, use the following remote RACADM command:

racadm -r (IP_or_FQDN_iDRAC) -u (username) -p (password) tlsEncryptionStrength set 1 --webserverrestart

0 = TLS 1.0 and higher
1 = TLS 1.1 and higher

Modifying TLS setting on iDRAC 7/8 firmware 2.40.40.40 and higher

Use the following local RACADM command to modify the TLS setting on an iDRAC 7/8 running firmware 2.40.40.40 and higher:

racadm set iDrac.WebServer.TlsProtocol 1

For remote iDRACs, use the following remote RACADM command:

racadm -r (IP_or_FQDN_iDRAC) -u (username) -p (password) set iDrac.WebServer.TlsProtocol 1

0 = TLS 1.0 and higher
1 = TLS 1.1 and higher
2 = TLS 1.2 only

Modifying TLS setting on CMC firmware 5.2 (M1000e), 2.2 (VRTX), 1.4 (FX2) and higher

Use the following local RACADM command to modify the TLS setting on a CMC running firmware 5.2 (M1000e), 2.2 (VRTX), 1.4 (FX2) and higher:

racadm config -g cfgRacTuning -o cfgRacTuneTLSProtocolVersionEnable 1

For remote iDRACs, use the following remote RACADM command:

racadm -r (IP_or_FQDN_iDRAC) -u (username) -p (password) config -g cfgRacTuning -o cfgRacTuneTLSProtocolVersionEnable 1

0 = TLS 1.0 and higher
1 = TLS 1.1 and higher
2 = TLS 1.2 only

Back to Top

Article Properties

Affected Product
Dell Lifecycle Controller Integration for System Center Virtual Machine Manager Version 1.2, Microsoft Windows 2008 Server R2, Microsoft Windows 2012 Server, PowerEdge C4130, PowerEdge C6220 II, PowerEdge c6300, PowerEdge c6320, Poweredge FC430 , Poweredge FC630, Poweredge FC830, PowerEdge M620, PowerEdge M630, PowerEdge M630 (for PE VRTX), PowerEdge M820, PowerEdge M820 (for PE VRTX), PowerEdge M830, PowerEdge M830 (for PE VRTX), PowerEdge R230, PowerEdge R330, PowerEdge R430, PowerEdge R530, PowerEdge R530xd, PowerEdge R620, PowerEdge R630, PowerEdge R720, PowerEdge R720XD, PowerEdge R730, PowerEdge R730xd, PowerEdge R830, PowerEdge R920, PowerEdge R930, PowerEdge T130, PowerEdge T320, PowerEdge T330, PowerEdge T420, PowerEdge T430, PowerEdge T620, PowerEdge T630 ...
Last Published Date

21 Feb 2021

Version

3

Article Type

Solution

Back to Top