Dell Unity: Nessus Full Safe Vulnerability Security Scan TLS versjon 1.0 protokoll gjenkjenning (bruker korrigeres)

Tidligere fulgt artikkel 000022527 
Dell Unity: Slik deaktiverer du TLS 1.0 og 1.1 på Unity-array (kan korrigeres av brukeren).  Sikkerhetsskanneren (Nessus) oppdaget imidlertid et TLS-sikkerhetsproblem på port 5085.
Oppdagede sikkerhetsproblemer:https://www.tenable.com/plugins/nessus/104743
Plugin:

104743 Plugin-navn: TLS versjon 1.0 protokollgjenkjenningsport
: 5085
Plugin Utgang: TLSv1 er aktivert, og serveren støtter minst én chiffreringskode.
Synopsis: Den eksterne tjenesten krypterer trafikk ved hjelp av en eldre versjon av TLS.
Løsning: Aktiver støtte for TLS 1.2 og 1.3, og deaktiver støtte for TLS 1.0.

Kommandoen "uemcli -u admin -password <Your Password> /sys/security set -tlsMode TLSv1.2" deaktiverer bare port 443.
Hvis du ønsker å deaktivere port 5085, må du bruke alternativet "-param" i svc_nas-kommandoen.

Deaktiver TLS 1.0 og 1.1 (port 5085) ved hjelp av trinnene nedenfor:
1. Kontroller gjeldende innstillinger.

svc_nas ALL -param -facility ssl -info protocol -v

2. Endre verdien til "4" = TLSv1.2 og høyere".

svc_nas ALL -param -facility ssl -modify protocol -value 4

3. Bekreft at current_value er endret til "4" =TLSv1.2 og nyere.

svc_nas ALL -param -facility ssl -info protocol -v

4. Start lagringsprosessorene på nytt, én om gangen.
UI (Unisphere):
SYSTEM >>>Service Service>>>Tasks >>> (lagringsprosessor X) Velg Start på nytt, og klikk på Utfør.

CLI:

svc_shutdown --reboot [spa | spb] 

5. Bekreft at current_value er endret til "4"=TLSv1.2 og nyere.

Example of changing from TLSv1.0 to TLSv1.2 (Port 5085):

1. Check the current settings.
XXXXX spa:~/user# svc_nas ALL -param -facility ssl -info protocol -v

name                    = protocol
facility_name           = ssl
default_value           = 2   <<<
current_value           = 2   <<<
configured_value        =     <<<
param_type              = global
user_action             = reboot SP
change_effective        = reboot SP
range                   = (0,4)
description             = Set the supported SSL/TLS protocols. Possible values are: 0=all SSL/TLS protocols are allowed, 1=SSLv3 and above, 2=TLSv1.0 and above, 3=TLSv1.1 and above, 4=TLSv1.2 and above

2. Change the value to "4" = TLSv1.2 and above".
XXXXX spa:~/user# svc_nas ALL -param -facility ssl -modify protocol -value 4

SPA : done

Warning 17716815750: SPA : You must reboot the SP for protocol changes to take effect.
SPB : done
 
Warning 17716815750: SPB : You must reboot the SP for protocol changes to take effect.

3. Confirm that the configured_value has been changed to "4"=TLSv1.2 and above.
XXXXX spa:~/user# svc_nas ALL -param -facility ssl -info protocol -v

SPA :
name                    = protocol
facility_name           = ssl
default_value           = 2
current_value           = 2　　<<<<　current_value is changed after restart
configured_value        = 4　　<<<<
param_type              = global
user_action             = reboot SP
change_effective        = reboot SP
range                   = (0,4)
description             = Set the supported SSL/TLS protocols. Possible values are: 0=all SSL/TLS protocols are allowed, 1=SSLv3 and above, 2=TLSv1.0 and above, 3=TLSv1.1 and above, 4=TLSv1.2 and above

4. Reboot Storage Processor (both SPs alternately).

5. Confirm that the current_value has been changed to "4"=TLSv1.2 and above.

XXXXX spa:~/user# svc_nas ALL -param -facility ssl -info protocol -v

SPA :
name                    = protocol
facility_name           = ssl
default_value           = 2
current_value           = 4　　<<<< 
configured_value        = 4
param_type              = global
user_action             = reboot SP
change_effective        = reboot SP
range                   = (0,4)
description             = Set the supported SSL/TLS protocols. Possible values are: 0=all SSL/TLS protocols are allowed, 1=SSLv3 and above, 2=TLSv1.0 and above, 3=TLSv1.1 and above, 4=TLSv1.2 and above

Deaktiver TLS 1.0 og 1.1 (port 443). 
Utdrag fra artikkel 000022527.
● Unity OE 5.1 og nyere matriser om bruk av kommandoen nedenfor: Vis gjeldende innstillinger med kommandoen:
 

uemcli -u admin -password <Your Password> /sys/security show

Deaktiver TLS 1.0 og 1.1 ved å angi -tlsMode TLSv1.2:

uemcli -u admin -password <Your Password> /sys/security set -tlsMode TLSv1.2

Eksempel på endring fra TLSv1.0 til TLSv1.2(Port443):

XXXXX spa:~/user# uemcli -u admin -p Password123# /sys/security show
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

1:    FIPS 140 mode         = disabled
      TLS mode              = TLSv1.0 and above
      Restricted shell mode = enabled

XXXXX spa:~/user# uemcli -u admin -p Password123# /sys/security set -tlsMode TLSv1.2
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

Please refer to the Security Configuration Guide for backward compatibility.
This change may impact running operations (e.g. replication) and the management services will be automatically restarted for the change to take effect.
Do you want to continue?
yes / no: yes
Operation completed successfully.

XXXXX spa:~/user# uemcli -u admin -p Password123# /sys/security show
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

1:    FIPS 140 mode         = disabled
      TLS mode              = TLSv1.2 and above　　<<<
      Restricted shell mode = enabled

Hvis matrisen kjører OE 4.3 til 5.0, deaktiver TLS 1.0 (port 443) ved hjelp av kommandoen nedenfor: Vis gjeldende innstillinger med kommandoen:
 

uemcli -u admin -password <Your Password> /sys/security show -detail

Deaktiver TLS 1.0 med kommandoen: 

uemcli -u admin -password <Your Password> /sys/security set -tls1Enabled no

Aktiver TLS 1.2 med kommandoen: 

uemcli -u admin -password <Your Password> /sys/security -tlsMode TLSv1.2

Eksempel på endring fra TLSv1.0 til TLSv1.2 (port 443): 

XXXXX spa:~/user# uemcli -u admin -password Password123# /sys/security show -detail
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

1:    FIPS 140 mode         = disabled
      TLS 1.0 mode          = enabled
      TLS mode              = TLSv1.0 and above
      Restricted shell mode = enabled

XXXXX spa:~/user# uemcli -u admin -password Password123# /sys/security set -tlsMode TLSv1.2
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

Please refer to the Security Configuration Guide for backward compatibility.
This change may impact running operations (e.g. replication) and the management services will be automatically restarted for the change to take effect.
Do you want to continue?
yes / no: yes
Operation completed successfully.

XXXXX spa:~/user# uemcli -u admin -password Password123# /sys/security show -detail
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

1:    FIPS 140 mode         = disabled
      TLS 1.0 mode          = disabled               <<<
      TLS mode              = TLSv1.2 and above　　 <<<
      Restricted shell mode = enabled

Merk:
Følgende "Feilkode: 0x1000302" kan vises umiddelbart etter at du har endret innstillingene.
Hvis det oppstår en feil, kan du prøve å utføre kommandoen på nytt etter ca. 5 minutter.

Operation failed. Error code: 0x1000302
Remote server is not available. Please contact server support (Error Code:0x1000302)