BladeSystem Virtual Connect
cancel
Showing results for 
Search instead for 
Did you mean: 

How to disable TLSv1.0 on c7000 Onboard Administrator?

 
SOLVED
Go to solution
Highlighted
BJohnson101
Collector

How to disable TLSv1.0 on c7000 Onboard Administrator?

Hello,

I am trying to mitigate the SSLv2, SSLv3, TLSv1.0, POODLE vulnerability on a c7000 chassis in both the Onboard Administrator and Virtual Connect Interconnects but am having some difficulty.  I have 5 c7000 boxes to address configured in 2 system configurations:
    System1    OA3.60 / VCM4.50
    System2    OA4.30 / VCM4.50

According this HP Support Communication, (https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c05157667), it is possible to address the Onboard Administrator provided OA v4.3 or later is installed.  

According to the HPE Virtual Connect Manager Command line interface for c-class bladesystem version 4.40/4.41 Documentation (https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=2ahUKEwjD4cbJ2a7fAhUBjq0KHZ1dBlgQFjAAegQICRAC&url=https%3A%2F%2Fsupport.hpe.com%2Fhpsc%2Fdoc%2Fpublic%2Fdisplay%3FdocId%3Demr_na-c04562191%26docLocale%3Den_US&usg=AOvVaw3ls1msGT26gnwCtHCGRApv), it is possible to disable TLSv1.0 (p124) on the VCMs.

In my scenarios, I am unable to update the OA on System1 to 4.3+.  I tried to update with several SPP packages thinking I may have to step through the udpates:  SPP2015.04, SPP2016.10, SPP2017.104, SPP_G7.1, and SPP_Gen8.1.  All attempts to update the OA fail with "(Error -3)".

On System2, the OA "Edit Advanced Security Settings" option is not in any of my systems.  

In both System configurations, I am unable to disable TLSv1.0.  It is not in the GUI or the CLI menus.  I have even SSH'd into the VCM, and used CLI command "show ssl" and no TLS option is shown.

Q1:    How do you recommend updating the OAs?
Q2:    What am I missing to disable the TLSv1.0/POODLE in the VCMs?

Many thanks,
Bobby

4 REPLIES 4
m_icha
HPE Pro

Re: How to disable TLSv1.0 on c7000 Onboard Administrator?

Hello BJohnson101 ,

Indeed the information/documents you shared are accurate. Based on your description I understand that you are trying to upgrade OA via SPP (SUM). If you want to troubleshoot further, once the upgrade fails SUM allows you to expand the error & delve into the text message in order to locate more info on the cause that interrupted the update process.

If for any reason, you still face difficulties via SPP you can always upgrade OA module via the GUI by uploading relevant OA bin file that you can download from the hpe.com site. Relevant option for OA firmware upgrade is under Active OnBoard Administator. You can find more info here: https://support.hpe.com/hpsc/doc/public/display?sp4ts.oid=null&docLocale=en_US&docId=emr_na-c00806740&withFrame by searching firmware update

M_icha

I'm an HPE Employee
Learn how to contact HPE Support
https://support.hpe.com/help/en/Content/productSupport/supportCaseManager.html
How to Say Thank You? Just click the KUDOS!
Swats13
Occasional Advisor

Re: How to disable TLSv1.0 on c7000 Onboard Administrator?

Hi BJohnson101,

For your first query, I see m_icha has provided a response.

For your query regarding vulnarability,  check out the below link for SSLv3 POODLE Vulnerability - CVE-2014-3566.

https://www.hpe.com/us/en/services/security-vulnerability.html 

 

I am a HPE Employee
BJohnson101
Collector

Re: How to disable TLSv1.0 on c7000 Onboard Administrator?

Yes, updating the firmware directly to the OA would be a great idea, but I don't have that option.  When i click on Enclosure Information>>Enclosure Settings >> Enclosure Firmware Management >> Settings Tab, I can enable the "Enable Enclosure Firmware Managment" option, but can ONLY utilize a URL.  The option to "Browse" to locate a file is not available:
c7000_firmware-console.JPG

 

Do you have any other suggestions?

Thanks,

Bobby

BJohnson101
Collector
Solution

Re: How to disable TLSv1.0 on c7000 Onboard Administrator?

Nevermind, I now see what I was doing wrong:  I should have drilled down into the Enclosure Information >> Active Onboard Administrator >> Firmware update...... NOT the Enclosure Settings. 

I have update the FW on the OA and now the TLS options are there to disable. 
Thanks everyone!

Bobby