Symptoms

Some Dell management consoles (e.g., OpenManage Essentials) may experience communication issues with discovered iDRAC 7/8 devices after upgrading their firmware to version 2.40.40.40, or with CMC versions 5.21 (M1000e), 2.2 (VRTX), or 1.4 (FX2) and higher.In accordance with recently discovered vulnerabilities with the Transport Layer Security (TLS) 1.0 cryptographic protocol, disabling TLS 1.0, then enabling TLS 1.1 and 1.2 is the best method of addressing security concerns. Beginning with iDRAC firmware version 2.40.40.40 and higher, TLS version 1.0 will be disabled by default. CMC devices beginning with version 5.21 and higher for M1000e, 2.2 and higher for VRTX, and 1.4 and higher for FX2 will only have TLS 1.2 enabled. With this change, one must ensure that their operating systems, remote devices, and web browsers fully support TLS 1.1 and 1.2, or communication issues can occur with Dell devices and within the following Dell management consoles: OpenManage Essentials (OME)Dell LifeCycle Controller Integration (DLCI) for SCCMDell Server Management Pack (DSMP) for SCOMDell LifeCycle Controller Integration (DLCI) for SCVMMiDRAC Web GUIRACADM CLIAny other client that utilizes secure communication protocols (SSL, WSMAN, etc.) Note: For more information on this vulnerability, refer to the Department of Homeland Security Vulnerability Notes Database article "VU#864643 - SSL 3.0 and TLS 1.0 allow chosen plaintext attack in CBC modes".

Resolution

Table of Contents: Verifying Device TLS SupportPreparation for Enabling TLS 1.1/1.2iDRAC and Supporting Tools TLS SupportModifying TLS setting on iDRAC and CMC Verifying Device TLS Support The most currently released browsers and operating systems already support TLS 1.1 and 1.2, and come with them enabled by default. However, there are some older Windows operating systems and Internet Explorer browsers that either do not support TLS 1.1 and 1.2, or support them but do not have them enabled by default. Verifying your Operating Systems Refer to Table 1 to help you identify which Windows operating systems will be affected by this change: Operating SystemTLS 1.0TLS 1.1TLS 1.2Windows VistaSupported Not SupportedNot SupportedWindows Server 2008SupportedNot SupportedNot SupportedWindows 7SupportedSupported, disabled by default Supported, disabled by default Windows Server 2008 R2SupportedSupported, disabled by defaultSupported, disabled by defaultWindows Server 2012SupportedSupported, disabled by defaultSupported, disabled by defaultWindows 8.1 and NewerSupportedSupportedSupportedWindows Server 2012 R2 and NewerSupportedSupportedSupported Table 1: Operating System Support Matrix Note: For more information on the TLS protocols, refer to Wikipedia article Transport Layer Security. Verifying your Internet Explorer and TLS 1.1 and 1.2 Support Internet Explorer 8 is no longer supported by Microsoft as of January 12, 2016.Systems running IE 9 and 10 will need to have TLS 1.1 and/or TLS 1.2 enabled before being able to negotiate at these newer security protocol versions.Internet Explorer 11 and higher have TLS 1.1 and 1.2 enabled by default. Note: For more information on Internet Explorer support boundaries, refer to the Microsoft Internet Explorer Support Matrix. Verifying your iDRAC/CMC and TLS 1.1 and 1.2 Support Supported TLS protocols can differ between iDRAC and CMC firmware versions. Use Table 2 below to identify which iDRACs and/or CMCs in your environment will require an upgrade to support TLS 1.1 and 1.2. Firmware VersionTLS 1.0TLS 1.1TLS 1.2iDRAC 6 Modular Supported Not Supported Not Supported iDRAC 6 Modular 3.75+Supported SupportedSupportediDRAC 6 SupportedNot SupportedNot SupportediDRAC 6 1.99+SupportedSupportedSupportediDRAC 7 SupportedNot SupportedNot SupportediDRAC 7/8 2.10.10.10 to 2.30.30.30 SupportedSupportedSupportediDRAC 7/8 2.40.40.40+DisabledSupportedSupportedCMC M1000e 5.2+DisabledDisabledSupportedCMC VRTX 2.2+DisabledDisabledSupportedCMC FX2 1.4+DisabledDisabledSupported Table 2: iDRAC and CMC TLS Support Matrix Dell recommends updating your iDRACs and/or CMCs to the latest firmware to take advantage of the latest features and updates. If your iDRAC or CMC has been identified to NOT support TLS 1.1 and 1.2, visit the Dell Support Site to download the latest firmware release. Back to Top Preparation for Enabling TLS 1.1/1.2 Use the methods below to ensure that your device can fully support TLS 1.1 and 1.2 before disabling TLS 1.0. Failure to so can cause Dell Management consoles like OpenManage Essentials, or DLCI for System Center Configuration Manager to no longer be able to communicate to remote devices that use TLS secure protocol. Windows Server Windows Vista and Server 2008 For Windows operating systems that do not support TLS 1.1 or 1.2, one will have to upgrade the operating systems to take advantage of these newer cryptographic protocols. Windows 7, Server 2008 R2, and 2012 These Windows server operating systems have been identified as supporting TLS 1.1 and 1.2, but both are disabled by default. Proceed to Microsoft Knowledge Base article "Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows" and follow the instructions provided to acquire the supported patch and registry changes. Important: The application of the Microsoft Hot Fix must be accompanied with the required registry changes or the undesired iDRAC state (e.g., Unknown) will persist. Once the registry changes are made you will need to reboot the server. Windows 8.1 and Server 2012 R2 No changes are needed. TLS 1.1 and 1.2 are already supported and enabled by default. Internet Explorer Internet Explorer 9 and 10 For systems running IE 9 or 10, perform the following to enable TLS 1.1 and/or TLS 1.2: Open the Internet Properties control panel (inetcpl.cpl).Click Advanced for the Advanced tab.Under the Settings section, click Use TLS 1.1 and Use TLS 1.2 (Figure 1). Figure 1: Security section of Internet Properties Note: These changes can also be deployed using Group Policies. For more information, refer to Microsoft Technet article "Managing Browser Settings with Group Policy Tools". Internet Explorer 11 and newer For systems running Internet Explorer 11 or newer, no changes are needed since TLS 1.1 and 1.2 are fully supported and enabled by default. Back to Top iDRAC and Supporting Tools TLS Support If you are running iDRAC 7/8 firmware version 2.40.40.40 or higher or CMC 5.2+(M1000e), 2.2+ (VRTX), or 1.4+ (FX2) you must performing the following below to ensure that your iDRAC/CMC and its supporting tools can communicate properly. iDRAC Web GUI and RACADM iDRAC Web GUI and RACADM use the same API that is used in Internet Explorer to securely connect. Use the procedure outlined in the "Preparation for Enabling TLS 1.1/1.2" section of this article to ensure you can connect to the iDRAC after disabling TLS 1.0. RACADM with System Accounts If RACADM is being used with system based service accounts (non-local users), some additional registry keys need to be added for TLS 1.1 and 1.2 to function properly. Please see the More information section in the following Microsoft Knowledge Base article: https://support.microsoft.com/en-us/kb/3140245 (Applies to: Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2012) Note: Some systems may require you to follow the instructions in Microsoft Article 2977292: Microsoft security advisory: Update for Microsoft EAP implementation that enables the use of TLS: October 14, 2014 before TLS 1.1 and 1.2 are fully enabled. Back to Top Modifying TLS setting on iDRAC and CMC Important: Dell does not recommend enabling TLS 1.0 due to recently discovered vulnerabilities within this cryptographic protocol. However, if your environment requires the use of TLS 1.0 there is a command line (CLI) RACADM method of doing so. Visit the Dell Support Site to download the latest Dell OpenManage DRAC Tools to acquire RACADM. Modifying TLS setting on iDRAC 6 firmware 2.90 (Monolithic) or 3.85 (Modular) and higher Use the following local RACADM command to modify the TLS setting on an iDRAC 6 running firmware 2.90 (Monolithic) or 3.85 (Modular) and higher: racadm tlsEncryptionStrength set 1 --webserverrestart NOTE: --webserverrestart parameter is optional For remote iDRACs, use the following remote RACADM command: racadm -r (IP_or_FQDN_iDRAC) -u (username) -p (password) tlsEncryptionStrength set 1 --webserverrestart 0 = TLS 1.0 and higher1 = TLS 1.1 and higher Modifying TLS setting on iDRAC 7/8 firmware 2.40.40.40 and higher Use the following local RACADM command to modify the TLS setting on an iDRAC 7/8 running firmware 2.40.40.40 and higher: racadm set iDrac.WebServer.TlsProtocol 1 For remote iDRACs, use the following remote RACADM command: racadm -r (IP_or_FQDN_iDRAC) -u (username) -p (password) set iDrac.WebServer.TlsProtocol 1 0 = TLS 1.0 and higher1 = TLS 1.1 and higher2 = TLS 1.2 only Modifying TLS setting on CMC firmware 5.2 (M1000e), 2.2 (VRTX), 1.4 (FX2) and higher Use the following local RACADM command to modify the TLS setting on a CMC running firmware 5.2 (M1000e), 2.2 (VRTX), 1.4 (FX2) and higher: racadm config -g cfgRacTuning -o cfgRacTuneTLSProtocolVersionEnable 1 For remote iDRACs, use the following remote RACADM command: racadm -r (IP_or_FQDN_iDRAC) -u (username) -p (password) config -g cfgRacTuning -o cfgRacTuneTLSProtocolVersionEnable 1 0 = TLS 1.0 and higher1 = TLS 1.1 and higher2 = TLS 1.2 only Back to Top

Support Cases