Enabling the collection of metadata for devices that use TLS 1.0 or 1.1

Because of known security vulnerabilities with TLS 1.0 and 1.1, TLS 1.2 is used to initiate communication between the data collector and your devices. For devices that don't support TLS 1.2, you can enable the data collector to initiate communication for the collection of metadata by using TLS 1.0 or 1.1.

About this task

If you disable TLS 1.2 and use TLS 1.0 or 1.1, you might expose your organization to security risks. Instead of enabling TLS 1.0 or 1.1 with devices that don't support TLS 1.2, IBM® strongly recommends that you contact your vendor to upgrade your devices to a version that supports TLS 1.2.

Important: IBM is not responsible or liable for any security issues that occur when you disable TLS 1.2 and enable TLS 1.0 or 1.1. You do so at your own risk. Learn about why TLS 1.0 and TLS 1.1 are being deprecated: Memo from Internet Engineering Task Force.
If you change the version of TLS to a lower version, the change affects only the internal communication between your devices that support lower-level protocols and the data collector. The outbound transmission of metadata to IBM Storage Insights is not affected by this change.
How to confirm whether TLS 1.0 and 1.1 are enabled or disabled: Because of known security vulnerabilities, TLS 1.0 and 1.1 are disabled by default for data collectors. However, if you're unsure if the default settings were changed, you can confirm whether they are currently enabled or disabled. For more information, see https://www.ibm.com/support/pages/node/6579217.

Procedure

  1. Log on to the server where the data collector service is installed.
  2. Open a command window or shell and go to the directory where you installed the data collector package.
  3. To stop the data collector service, choose one of the following options:
    Operating system Options
    Windows
    1. From the desktop, click the Start menu, type services.msc, and then press Enter.
    2. On the Services page, right-click the service name that begins with IBM Spectrum Control Storage Insights data collector and select Stop.
    Alternatively, from the command prompt, complete these steps:
    1. Click the Start menu and type cmd.
    2. In the data collector directory, type dataCollector.bat stop, and then press Enter.
    AIX® or Linux® In the data collector directory, type dataCollector.sh stop, and then press Enter.
  4. Complete one of these actions:
    • On Windows, go to Data Collector Installation\jre\lib\security.
    • On AIX or Linux, go to Data Collector Installation/jre/lib/security.
  5. Create a backup copy of the java.security.
    Save it with a different name so it can be more easily identified later, such as java.securitybackup_tlsdisabled.
  6. Open the original java.security file in an editor and remove the text TLSv1, TLSv1.1 from this line. 
    jdk.tls.disabledAlgorithms=MD5withRSA, DH keySize < 1024, TLSv1, TLSv1.1, EC keySize < 224, anon, NULL
  7. Save the file.
  8. Choose one of the following options to restart the data collector service:
    Operating system Options
    Windows
    1. From the desktop, click the Start menu, type services.msc, and then press Enter.
    2. On the Services page, right-click the service name that begins with IBM Spectrum Control Storage Insights data collector and select Start.
    Alternatively, from the command prompt, complete these steps:
    1. Click the Start menu and type cmd.
    2. In the data collector directory, type dataCollector.bat start, and then press Enter.
    AIX or Linux In the data collector directory, type dataCollector.sh start, and then press Enter.

Results

The data collector can initiate communication with and collect metadata from devices that use TLS 1.0 or TLS 1.1.