Skip to main content
Sign Out
Welcome to Dell
My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us
Your Dell.com Carts

Article Number: 000129504

Pre-boot Authentication fails when using Dell Data Protection Enterprise Edition

Summary: This article provides the workaround that allows Dell Data Protection | Self-Encrypting Drive (SED) and Dell Data Protection | Hardware Crypto-Accelerator clients to communicate with the Enterprise Server when the client is configured to communicate using the SSL protocol. ...

This article may have been automatically translated. If you have any feedback regarding its quality, please let us know using the form at the bottom of this page.

Article Content

Symptoms

Affected Products:

  • Dell Data Protection | Enterprise Edition
  • Dell Data Protection | Virtual Edition
  • Dell Data Protection | Self-Encrypting Drives
  • Dell Data Protection | Hardware Crypto-Accelerator

Cause

Dell Data Protection | Enterprise Server version 8.5.1 is set to communicate using TLS, to protect communications against the OpenSSL CVE-2014-3566 vulnerability, also known as Padding Oracle On Downgrade Legacy Encryption (POODLE). However, Dell Data Protection Self-Encryption Drive and Dell Data Protection | Hardware Crypto-Accelerator version 8.5 and earlier clients communicate with the Dell Data Protection | Enterprise Server using SSL. This means that when running Enterprise Server version 8.5.1, Dell Data Protection | Self-Encrypting Drive or Dell Data Protection | Hardware Crypto-Accelerator version 8.5 and earlier clients with Pre-boot Authentication (PBA) activated fails to communicate with Enterprise Server.

Resolution

Enterprise Server can be set to accept SSL communication, in environments where issues resulting from Enterprise Server version 8.5.1/PBA client noncommunication outweigh risks and potential vulnerabilities that are associated with SSL.

This workaround must be implemented within the endpoints' Device Lease Period. If communication to Enterprise Server version 8.5.1 is unavailable, the following functionality is unavailable:

  • New user login
  • PBA lock
  • PBA unlocks
  • Remove users
  • Bypass login
  • Wipe command

With v8.16 and later, PBA clients can communicate with the Enterprise Server using the TLS 1.2 protocol, rather an SSL, TLS 1, and TLS 1.1.

To temporarily enable down-negotiation from TLS to SSL on Enterprise Server, follow these instructions:

  1. On the Security Server, access <Security Server install path>\conf\ spring-jetty.xml.
  2. In the spring-jetty.xml file, comment out the excludeProtocols property:
<!—
<property name="excludeProtocols" value="SSL,SSLv2,SSLv3" />
-->
Note: Dell Technologies recommends commenting out the excludeProtocols property rather than removing it, so that down-negotiation can later be disabled. To later disable down-negotiation, remove from the excludeProtocols property.
  1. Save and exit.
  2. Restart the Security Server services.

If a Front End Server is used, follow these instructions:

On the Front End Server, <Security Server Proxy install path>\conf\ spring-jetty.xml, comment out the excludeProtocols property:

<!—
<property name="excludeProtocols" value="SSL,SSLv2,SSLv3" />
-->
Note: Dell Technologies recommends commenting out the excludeProtocols property rather than removing it, so that down-negotiation can later be disabled. To later disable down-negotiation, remove from the excludeProtocols property.
  1. Save and exit.
  2. Restart the Front End Server.

To temporarily enable down-negotiation from TLS to SSL on Virtual Server, follow these instructions:

  1. Log in to the administration console under the user account.
Note:
  • Default: For server versions 9.10.1 and earlier:
    • User: ddpuser
    • Password: ddpuser
  • Default For server versions 9.11 and later:
    • User: delluser
    • Password: delluser
  1. Arrow down the launch shell and press enter then switch to the support account by running su <username>
Note:
  • Default: For server versions 9.10.1 and earlier:
    • User: ddpsupport
    • Password: ddpsupport
  • Default For server versions 9.11 and later:
    • User: dellsupport
    • Password: dellsupport
  1. Edit the spring-jetty.xml by running the following command:
Sudo vi /opt/dell/server/security/conf/spring-jetty.xml
  1. Press I to enter INSERT mode then locate and comment out the following line:
<property name="excludeProtocols" value="SSL,SSLv2,SSLv3" />

Sping-jetty.xml
Figure 1: (English Only) Sping-jetty.xml

  1. Next press ESC followed by : then wq and Enter to save and quit.
  2. Return to the administration console by using the exit command.
  3. Stop and start services.

If a Front End Server is used, follow these instructions:

On the Front End Server, <Security Server Proxy install path>\conf\ spring-jetty.xml, comment out the excludeProtocols property:

<!—
<property name="excludeProtocols" value="SSL,SSLv2,SSLv3" />
-->
Note: Dell Technologies recommends commenting out the excludeProtocols property rather than removing it, so that down-negotiation can later be disabled. To later disable down-negotiation, remove from the excludeProtocols property.
  1. Save and exit.
  2. Restart the Front End Server.
Note: Starting in Dell Data Protection | Enterprise Edition Server 9.3 With Java 8, SSLv3 is disabled by default. In Dell Data Protection | Enterprise Edition and Dell Data Protection | Virtual Edition, you must remove SSLv3 verbiage from the JAVA_HOME/lib/security/java.security file: 
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
The fixed line is: 
jdk.tls.disabledAlgorithms=RC4, DH keySize < 768

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

 

Article Properties

Affected Product

Dell Encryption

Last Published Date

08 Feb 2023

Version

10

Article Type

Solution

Back to Top