Dell Unity: How to Disable TLS 1.0 and 1.1 on Unity Array
Summary: This article explains how to disable TLS 1.0 and 1.1 on a Unity array. (User Correctable)
Instructions
Facts:
Unity 4.3 and later
Disabling TLS 1.0 is not available on Unity Operating Environment 4.2.1 or earlier.
PUHC error: "TLSv1.0 and TLSv1.1 are not secure. It is recommended that you use TLSv1.2. See KB 22527 for information about how to disable TLSv1.0 and TLSv1.1"
Procedure:
This procedure is run using UEMCLI as service user.
You are responsible for checking with your application vendor to see if it supports TLS v1.2 before proceeding. Failure to do so may cause any affected clients to lose access to data.
If FIPS PUB 140-2 compliant is enabled, Unity uses TLS v1, TLS v1.1, and TLS v1.2 with communication only through Federal compliant ciphers.
Disable TLS 1.0 on Unity OE 5.1 and later arrays on using the below steps:
- Show the current settings with the command:
uemcli -u admin -securePassword /sys/security show
- Disable TLS 1.0 with the command:
uemcli -u admin -securePassword /sys/security set -tlsMode TLSv1.1
Alternatively, you can disable TLS 1.0 and 1.1 by setting -tlsMode TLSv1.2.
uemcli -u admin -securePassword /sys/security set -tlsMode TLSv1.2
In case the array is running OE 4.3 to 5.0, disable TLS 1.0 by using the below steps:
-
Show the current settings with the command:
uemcli -u admin -securePassword /sys/security show
-
Disable TLS 1.0 with the command:
uemcli -u admin -securePassword /sys/security set -tls1Enabled no
Example for the above commands:
XXXXX spb:~> uemcli -u admin -securePassword /sys/security show
Password:
Storage system address: 127.0.0.1 Storage system port: 443 HTTPS connection 1: FIPS 140 mode = disabled TLS mode = TLSv1.0 and above Restricted shell mode = enabled XXXXX spb:~> uemcli -u admin -password Password1234# /sys/security set -tlsMode TLSv1.1 Storage system address: 127.0.0.1 Storage system port: 443 HTTPS connection Please refer to the Security Configuration Guide for backward compatibility. This change may impact running operations (e.g. replication) and the management services will be automatically restarted for the change to take effect. Do you want to continue? yes / no: yes Operation completed successfully. XXXXXspb:~> uemcli -u admin -securePassword /sys/security show
Password:
Storage system address: 127.0.0.1 Storage system port: 443 HTTPS connection 1: FIPS 140 mode = disabled TLS mode = TLSv1.1 and above Restricted shell mode = enabledIf the user has special characters in the password, use the below commands. When prompted for the password, enter the user password with special characters:
uemcli -u admin -securePassword /sys/security show uemcli -u admin -securePassword /sys/security set -tlsMode TLSv1.2
Additional information:
- This procedure restarts management server. You must wait until you can run the
showcommand again (and login to Unisphere). - This change may impact running operations which use management servers (for example, replication).
- If you are unable to log in to Unisphere with LDAP user after disabling TLS 1.0, see article Dell Unity: Unisphere UI fails to log in as LDAP User with error "The logged in user is not authorized to access Unisphere" when TLS1.0 is disabled at LDAP Server [Dell Correctable].