This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 66%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Hi all !
I've got the task to bring scx agents network exchange in line with audit requirements.
SCOM must connect to agents with tls1.2 using diffie-hellman ephemeral cipher suites only.
I set the "sslciphersuite" config parameter in omiserver.conf to different values but all I've managed to achieve is:
Preferred TLSv1.2 256 bits 0x9D AES256-GCM-SHA384
Accepted TLSv1.2 256 bits 0x3D AES256-SHA256
Accepted TLSv1.2 128 bits 0x9C AES128-GCM-SHA256
Accepted TLSv1.2 128 bits 0x3C AES128-SHA256
Tried these:
sslciphersuite=HIGH:!TLSv1:!RC4:!DES
sslciphersuite=HIGH:ECDHE+AESGCM:ECDHE+AES:!TLSv1:!RC4:!DES
sslciphersuite=ECDHE+AESGCM:ECDHE+AES:DHE+AES:!TLSv1:!RC4:!DES
all giving the same result above.
Agents are deployed on Oracle Linux Server 7.7, agent versions - 1.5.1-256 (scom 2012r2) and 1.6.0-163 (scom 1807).
Does scx (omiserver) support required ciper suites and how to make it work?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Roman Annenko , Based on my research, SSLCipherSuite accepts the following prefixes:
none: Adds the cipher to the list
Here are the articles for the reference:
https://docs.oracle.com/middleware/12213/webtier/administer-ohs/GUID-C76BCA2A-9C28-4D16-9758-9346FBCF7512.htm#HSADM1016
https://www.leaderssl.com/news/471-how-to-disable-outdated-versions-of-ssl-tls-in-apache
Note: Non-microosft link, just for the reference.
Meanwhile, I find the default SSL cipher configuration on UNIX or Linux computer is governed by the SSL package that is installed as part of the operating system. The SSL cipher configuration typically allows connections with a variety of ciphers, including older ciphers of lower strength. While Operations Manager does not use these lower strength ciphers, having port 1270 open with the possibility of using a lower strength cipher contradicts the security policy of some organizations. We can check the version of the operation system of the server and check if the cipher suite is supported.
https://learn.microsoft.com/en-us/system-center/scom/manage-security-crossplat-config-sslcipher?view=sc-om-2019
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Roman Annenko , Hope things are going well. If there's anything else we can help, feel free to let us know.