SQL native client for TLS1.2
Ever try to talk to someone when language is a barrier?
Sure, we can run an app, or search our phrase to pronounce, but it's so much better when we can communicate seamlessly.
Post TLS1.2 for SCOM
Let's talk SQL
Part of TLS1.2 is updating SQL Native Client to talk using a secure client that uses TLS1.2
That means a different executable should be called.
Why is that important in SCOM?
Maybe you have management packs that connect to SQL or run external commands.
On MS, there are multiple clues for various errors on Management Packs that use SSL or talk to SQL via a non-TLS method. NOTE this may mean that the SQL DB that management pack is connecting to may need the same pre-req SQL updates to a TLS 1.2 enabled version.
- Do you have custom SQL queries being run, CMDB get's, OLE DB Data Source checks?
- Any Event ID 1401 or 11854 events in the Operations Manager Event log?
- These events identify management pack scripts creating SCHANNEL events
a. Event ID 1401 event example
- These events identify management pack scripts creating SCHANNEL events
Cause
SQLOLEDB connection strings will cause 36871 Sytem Log events
Example (TLS1.0)
sConnectString = "PROVIDER=SQLOLEDB;DATA SOURCE=<databaseServerFQDN>;DATABASE=MSSQLSERVER;trusted_connection=yes"
SQLNCLI11 driver for TLS1.2 connection strings
Example (TLS1.2)
sConnectString = "Provider=SQLNCLI11;DATA SOURCE=<databaseServerFQDN>;DATABASE=MSSQLSERVER;trusted_connection=yes"
Identify
Look for management packs with SQLOLEDB as the Connect string to reduce 36871 SCHANNEL events
In Windows Explorer, use the Advanced Options dropdown to select File Contents
In the Search bar (top right), enter SQLOLEDB (example shows SQLNCLI11)
NOTE SQL Discovery group pack IS compliant
In Windows Explorer, use the Advanced Options dropdown to select File Contents
In the Search bar (top right), enter SQLNCLI11
Additional offenders
HP Topology MP
SQL 2005 discovery MP (discontinued)
SQL Addendum MP’s (will work to update these with Holman)
SharePoint Foundation server (v15.0.4557.1000)
PRE TLS Microsoft.SystemCenter.2007
Resolution
Unseal (if necessary), update connection string, and reimport management packs
If Sealed vendor MP, request new MP via support Incident (and/or UserVoice if Microsoft sourced pack)
If Vendor will not release MP’s, accept risk with the logged errors, update MP, or remove from SCOM