Configuring the TLS Protocol Version for eSight
By default, TLSv1.1 and TLSv1.2 can be used to access eSight clients. You can configure the TLS protocol versions used by eSight as required. TLSv1 is an insecure protocol and is disabled by default. The use of TLSv1 has certain security risks. You are advised to use TLSv1.1 and TLSv1.2, which are more secure.
Context
eSight involves the following TLS configuration files:
- certificate.conf
- roa.inst.xml
- sso.xml
- med_node_1_svc.xml
- ros.xml
- Mediation_1_svc.xml
This section describes how to configure the TLS protocol version for eSight by modifying the corresponding configuration file.
Procedure
- Stop eSight.
- Modify configuration items in the following configuration files.
Modify the items as the ossuser user. If a two-node cluster is deployed, you need to modify the configuration items in the configuration files on both the active and standby nodes.
- To enable the TLSv1
Configuration File
Configuration Item
Settings
eSight installation directory/AppBase/sysagent/etc/sysconf/svcbase/med_node_1_svc.xml
ssl.protocol
The default value is TLSv1.1,TLSv1.2. Change it to TLSv1,TLSv1.1,TLSv1.2.
- To disable TLSv1.1 and enable only TLSv1.2
Configuration File
Configuration Item
Settings
eSight installation directory/AppBase/3rdparty/nginx/conf/certificate.conf
ssl_protocols
The default value is TLSv1.1 TLSv1.2. Change it to TLSv1.2.
eSight installation directory/mttools/etc/iemp.framework/roa.inst.xml
ssl.protocol
The default value is SSLv2Hello;TLSv1.1;TLSv1.2. Change it to SSLv2Hello;TLSv1.2.
NOTE:- SSLv2Hello has security risks and is not recommended.
- If this configuration item is set to TLSv1.2, JRE1.8 or a later version is required because JRE1.7 does not support some algorithms.
eSight installation directory/AppBase/etc/oms.sso/sso.xml
sslProtocols
The default value is TLSv1.1,TLSv1.2. Change it to SSLv2Hello,TLSv1.2.
NOTE:- SSLv2Hello has security risks and is not recommended.
- If this configuration item is set to TLSv1.2, JRE1.8 or a later version is required because JRE1.7 does not support some algorithms.
eSight installation directory/AppBase/sysagent/etc/sysconf/svcbase/med_node_1_svc.xml
ssl.protocol
The default value is TLSv1.1,TLSv1.2. Change it to TLSv1.2.
eSight installation directory/AppBase/etc/oms.ros/ros.xml
ssl.protocol
The default value is empty. Change it to TLSv1.2.
NOTE:If the configuration file does not contain this configuration item, TLSv1.1 and TLSv1.2 are enabled. If you want to change the value, manually add the configuration item, as shown in Figure 8-1.
eSight installation directory/AppBase/sysagent/etc/sysconf/svcbase/Mediation_1_svc.xml
sslProtocols
The default value is TLSv1.1, TLSv1.2. Change it to TLSv1.2.
- To enable the TLSv1
- Restart eSight.
Follow-up Procedure
After changing the TLS protocol version for eSight, ensure that the TLS protocol is enabled on the client browser. By default, the TLS protocol is enabled for Firefox and Chrome. To enable the TLS protocol for Internet Explorer, perform the following steps:
- Open your browser.
- On the menu bar of Internet Explorer, choose Tools > Internet Options.
If the menu bar is not displayed, press Alt.
- In the Internet Options dialog box, click the Advanced tab, select the protocol to be used, and click OK.
- If eSight uses only TLSv1.2, select Use TLS 1.2.
- If eSight uses both TLSv1.1 and TLSv1.2, select Use TLS 1.1 and Use TLS 1.2.
