cancel
Showing results for 
Search instead for 
Did you mean: 

Disable TLS 1.0

 
SOLVED
Go to solution
hyeberty
Visitor

Disable TLS 1.0

Our Security Team Scanned our OneView Applizance and is requesting that we disable TLS that is not TLS 1.2.

Is this support or is this capable of doing so? Has anyone done this? All of our hardware that is being managed by this oneview is running 2018.03 SPP. 

OneView is 4.0

  1. Firmware 
    4.00.07-0330056
7 REPLIES
ChrisLynchHPE
Neighborhood Moderator
Solution

Re: Disable TLS 1.0

Unfortunately, it is not possible to disable TLS 1.0 and/or 1.1 in OneView 4.00.  If your infrastructure is governed by the Payment Card Industry (PCI) DSS rules that require TLS 1.0 be disabled by June 1, 2018, please private message me so we can privately chat.  We will support this functionality with our next HPE OneView release.  And if you are going to ask when it will be released, I am unable to provide that information as we have yet to announce it.

roffd
Occasional Visitor

Re: Disable TLS 1.0

Chris,

How can I disbale TLS v1.0 and 1.1 in OneView v4.1?

ChrisLynchHPE
Neighborhood Moderator

Re: Disable TLS 1.0

Yes, using either the API, or PowerShell (Get-HPOVApplianceSecurityProtocol and Set-HPOVApplianceSecurityProtocol).  These are only supported in the HPE OneView 4.10 PowerShell library and appliance.  These cannot work with older OneView appliance versions as the API does not exist to manage.

ASealPerspecta
Occasional Visitor

Re: Disable TLS 1.0

Is it possible to disable only TLS Version 1.0 or does it disable version 1.0 and 1.1?

Also, what are the ramifications? Can it still manage Gen 7 Blades etc. or does it lose the ability to do that with TLS 1.0 disabled?

Thanks

ChrisLynchHPE
Neighborhood Moderator

Re: Disable TLS 1.0

The Cmdlet will allow you to disable TLS 1.0.  If you attempt to disable 1.1 only, that will fail, as 1.0 is significantly less secure than 1.1.  This ONLY impacts the HPE OneView UI, not taking to endpoints like iLO.  We already enforce the highest TLS version the iLO supports.  You can put the appliance into either FIPS or CNSA security mode, which will disable weak security protocols and methods, and then could prevent iLO3 communiation, which does not support TLS 1.2.

ASealPerspecta
Occasional Visitor

Re: Disable TLS 1.0

Thanks for the quick reply.

So to disable only TLS version 1 the ommand would look like this correct?

"Set-HPOVApplianceSecurityProtocol -EnableTlsVersion TLSv1.1,TLSv1.2"

A comma seperated value so it allows 1.1 and 1.2.

Or would it require 2 commands for each version?

Thanks again for the help.

ChrisLynchHPE
Neighborhood Moderator

Re: Disable TLS 1.0

Cmdlet usage is documented in the Cmdlet help. Yes, it would be:

TlsV1.1, Tlsv1.2

You can tab complete the allowed values when you provide the parameter name when interacting with the Cmdlet.

Sent from Outlook