Submit a ticketCall us

AnnouncementsChange Is Inevitable

Get valuable help when it comes to tracking and monitoring changes. SolarWinds® Server Configuration Monitor (SCM) is designed to help you: detect, track, and receive alerts when changes occur, correlate system performance against configuration changes, compare server and application configuration against custom baselines, and verify application and system changes.

Learn more.

Home > Success Center > Orion Platform > Orion - Knowledgebase Articles > Enable TLS in Orion Platform products

Enable TLS in Orion Platform products

Table of contents

Updated July 18, 2018

Overview

Products running on Orion Platform must enable TLS.

On Windows Server 2008 or later, TLS 1.0 is enabled by default.
On Windows 8 and Windows Server 2012 or later, TLS 1.1 and TLS 1.2 are enabled by default.

Refer to this Microsoft article for detailed information on which TLS protocol versions are supported and enabled by default on supported Microsoft Windows version.

 

When TLS is disabled, some of the following errors may occur:

  • Log & Event Manager can fail to start
  • Kiwi CatTools fails to send emails
  • HTTPS monitoring can stop
  • Storage Manager can be unable to collect data from IBM SVC
  • NCM does not work as expected
  • IP Monitor Service can fail to start
  • Server & Application Monitor may have errors
  • SWIS cannot communicate with RabbitMQ (TLS 1.2)
  • Orion Web Console fails to stop working (TLS 1.2)
  • SNMP v3

 

The TLS versions that your operating system support are enabled or disabled in the registry, and can be enabled or disabled for server and/or client communication.

SolarWinds recommends using IIS Crypto 2.0 to disable insecure protocols on your Windows systems.

For example: * Replace the version ie; TLS 1.0 with TLS 1.1 or TLS 1.2 (as needed) 

  1. TLS 1.0 is disabled for client communication if the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client exists and if one of the following is true:
    • The entry Enabled exists with a value 0
    • The entry DisabledByDefault exists with a non-zero value and the entry Enabled does not exist or exists and has the value of 0.
  2. TLS 1.0 is disabled for server communication if the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server exists and if one of the following is true:
    • The entry Enabled exists with value 0
    • The entry DisabledByDefault exists with non-zero value and the entry Enabled does not exist or exists and has the value of 0.
    1. Resulting Key output looks like this...
      ...[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
      "DisabledByDefault"=dword:00000000
      "Enabled"=dword:00000001

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
      "DisabledByDefault"=dword:00000000

      "Enabled"=dword:00000001
      ...

SolarWinds requires that at least one of TLS 1.0 or TLS 1.1 is enabled for both client and server communication. 

Some legacy tools such as the Report Writer, Syslog Viewer, and Trap Viewer may require TLS 1.0.

View TLS compatibility with Orion Core Products to verify if your SolarWinds Orion products work with TLS 1.0 disabled.

Environment

All Orion products running on Orion Platform 2017.3 and earlier, such as:

  • NPM 12.2 and earlier
  • SAM 6.5 and earlier

 

NPM 12.3 supports TLS 1.2-only connections for organizations that require that type of delivery for security and compliance reasons. See TLS compatibility with Orion Platform products for details and a list of other Orion products that support TLS 1.2-only connections.

Steps

SolarWinds strongly recommends that you back up your registry before making any edits to your system registry. You should only edit the registry if you are experienced and confident in doing so. Using a registry editor incorrectly can cause serious issues with your operating system, which could require you to reinstall your operating system to correct them. SolarWinds cannot guarantee resolutions to any damage resulting from making registry edits.

  1. Log in to the SolarWinds Orion server as an administrator.
  2. Back up your registry.
  3. Open the registry editor.
  4. To enable TLS 1.0, find or create the following keys:

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
  5. To enable TLS 1.1, find or create the following keys
    •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
  6. To enable TLS 1.2, find or create the following keys:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

  7. In each key from previous steps, find or create the following REG_DWORD values:

    • DisabledByDefault with the value set to 0 decimal

    • Enabled with the value set to 1 decimal

  8. Reboot the computer.

TLS 1.0, TLS 1.1, and TLS 1.2 are now explicitly enabled.

 

Alternative Tool...

  1. Log in to the Orion server as an administrator.
  2. Download and install IIS Crypto from Nartac. (© 2013 Nartack Software, available at https://www.nartac.com/, obtained on Feb 3, 2017.)
  3. Open the tool.
  4. Select Schannel and other Registry entry as required 
  5. Apply changes and restart the computer.

 

If you are allowed to run only one TLS version at the same time and experience issues with desktop tools, such as Trap Viewer or Syslog Viewer, see the article about desktop tools not working when TLS 1.0 is disabled.

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.

 

Last modified

Tags

Classifications

Public