Use TLS 1.2 with Deep Security

If you want to enable TLS 1.2 with only strong, A+-rated cipher suites, see instead Enable TLS 1.2 strong cipher suites. Use of strong cipher suites may cause compatibility issues.

Transport Layer Security (TLS), and the earlier Secure Sockets Layer (SSL), are encryption protocols that enable secure connections between different endpoints. When Deep Security components need to communicate, they determine the latest mutually-supported version of the encryption protocol and then use that version to secure all communication for the duration of their session. The latest version of TLS is 1.2. SSL has been discontinued due to security issues.

Trend Micro strongly recommends that you use TLS 1.2 communication between all its components. This page describes the benefits of TLS 1.2, and how to use and enforce it in your Deep Security environment.

Topics on this page:

TLS 1.2 architectures

The diagrams below show the TLS communication in the Deep Security architecture.

Figure 1 shows the TLS communication in a Deep Security as a Service environment. You can see that 10.0 or higher agents communicate with Deep Security as a Service over TLS 1.2, while 9.6 versions communicate over early TLS. Similarly, newer third-party applications use TLS 1.2, while older ones use early TLS. It is not possible to enforce TLS 1.2 if you're using Deep Security as a Service.

Figure 2 shows the TLS communication in an on-premise deployment, when TLS 1.2 is not enforced (the default). You can see that 10.0 or higher agents communicate with Deep Security Manager over TLS 1.2, while 9.6 versions communicate over early TLS. Similarly, newer third-party applications and virtual appliances use TLS 1.2, while older ones use early TLS.

Figure 3 shows the TLS communication when TLS 1.2 is enforced. You can see that the 9.6 agents can no longer communicate with Deep Security Manager, and neither can older third-party applications. For details on enforcement, see Enforce TLS 1.2
.

Figure 1: Deep Security as a Service; TLS 1.2 is not enforced

Figure 2: On-premise; TLS 1.2 is not enforced

Figure 3: On premise; TLS 1.2 is enforced

Use TLS 1.2 without enforcing it

To use TLS 1.2 without enforcing it, just make sure your components support TLS 1.2. TLS 1.2 is automatically used when both components support it.

Follow the instructions below to verify that your Deep Security components support TLS 1.2 and upgrade them if needed.

If you want to enforce TLS 1.2 and prevent the use of early TLS and SSL, see instead Enforce TLS 1.2.

Verify and upgrade your Deep Security Manager

Verify your Deep Security Manager database

  • If you're using Microsoft SQL Server as your Deep Security Manager database, make sure the database supports TLS 1.2, and if not, upgrade it. See this Microsoft article for guidance.
  • If you're using an Oracle database, only Oracle's native encryption is supported for database-manager communication, not TLS, so no action is necessary.
  • By default, there is no encryption between the database (SQL Server or Oracle) and Deep Security Manager. You can enable it manually.

Verify your Deep Security Agents

  • If you have existing Deep Security Agents, make sure they're at version 10.0 or higher. Only 10.0 or higher agents support TLS 1.2.

If some agents are left un-upgraded (that is, they are pre-10.0), those agents communicate over early TLS, and you won't be able to enforce TLS 1.2.

To upgrade your agents:

  1. Import the latest Deep Security Agent software into Deep Security Manager, either manually or automatically. See Update Deep Security software for details.
  2. Upgrade your Deep Security Agents:

Verify your Deep Security Relays

  • Make sure you're using one of the following versions of Deep Security Relay, and if not, upgrade it:
    • Use Deep Security Relay 10.0 update 8 or later if you're planning to Enforce TLS 1.2 on the relay. Only 10.0 update 8 and higher relays support TLS 1.2 enforcement.
    • Use Deep Security Relay 10.0 or later if you're not planning to Enforce TLS 1.2 on the relay. Only 10.0 and higher relays support TLS 1.2 communication.

To upgrade a relay, follow the same process as upgrading an agent:

  1. Import the latest Deep Security Relay software into Deep Security Manager, either manually or automatically. See Update Deep Security software for details.
  2. Upgrade the relay:

Verify your Deep Security Virtual Appliance

This section applies only to on-premise installations of Deep Security Manager.

Make sure you're using Deep Security Virtual Appliance 10.0 or higher. To upgrade the appliance, see the Upgrade the Deep Security Virtual Appliance.

  • The minimum VSphere and NSX software versions required for the virtual appliance already support TLS 1.2. See System requirements for details.

Enforce TLS 1.2

TLS 1.2 enforcement is not available for Deep Security as a Service deployments.

If you want, you can enforce the use of TLS 1.2 so that early TLS (1.0, 1.1) and SSL are disallowed.

Topics in this section:

Where can TLS 1.2 be enforced?

There are two enforcement points:

  • on the Deep Security Manager
  • on the Deep Security Relays

What happens when TLS 1.2 enforced?

When TLS 1.2 is enforced, the manager and relays stop accepting early TLS (1.0, 1.1) and SSL connections, and any applications that try to use one of these older protocols are denied access and cease to function properly.

If you choose not to enforce TLS 1.2, the manager and relays still accept early TLS and SSL as well as TLS 1.2 connections. This means that both older and newer applications are able to connect.

When is TLS 1.2 enforcement possible (and not possible)?

You can only enforce TLS 1.2 if all Deep Security Agents have been upgraded to 10.0 or later, which is the version at which TLS 1.2 is supported.

You cannot enforce TLS 1.2 if:

  • you are protecting an older OS, such as Windows 2000, for which a 10.0 or later agent is not available. Go here to see if a 10.0 or later agent is available for your OSs.
  • you are using third-party components that are older and need to use early TLS or SSL to communicate with Deep Security Manager.

If it is not possible to upgrade all your agents, you can still enforce TLS 1.2 on just the manager's GUI port. See Enforce TLS 1.2 on just the manager's GUI port (4119) for details.

Enforce TLS 1.2 on Deep Security Manager

  1. Before you begin, make sure that all your components support TLS 1.2. See Use TLS 1.2 without enforcing it .
  2. On the Deep Security Manager computer, open the java.security file. On Windows, the default location is c:\Program Files\Trend Micro\Deep Security Manager\jre\lib\security\.
  3. Append the items in bold underline to the following line (or add the whole line, if it doesn't exist):

    jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, EC keySize < 224, DES40_CBC, RC4_40,TLSv1, TLSv1.1

    This setting disables various weak algorithms and protocols in the Java Runtime on Deep Security Manager. See this page for details: https://www.java.com/en/configure_crypto.html.

  4. Save the file.
  5. Restart the Deep Security Manager service.

Enforce TLS 1.2 on the Deep Security Relay

  1. Before you begin, make sure that all your components support TLS 1.2. See Use TLS 1.2 without enforcing it .
  2. On Deep Security Manager, at a command prompt, enter:

    dsm_c -action changesetting –name "settings.configuration.restrictRelayMinimumTLSProtocol" -value "TLSv1.2"

    This command updates all the policies associated with all your Deep Security Relays with the new TLS 1.2 requirement.

  3. Resend the policies associated with your relays:
    1. In Deep Security Manager, click Computers and find one of your relays in the list of computers. If you're not sure which ones are your relays, at the top, click Administration. On the left, expand Updates and then click Relay Groups. In the main pane, double-click a relay group. Look under the Members heading to see your relays.
    2. Double-click the relay in the list of computers.
    3. In the main pane, click the Actions tab.
    4. Click Send Policy to resend the policy.
    5. Resend the policy to each of your relays.

Enforce TLS 1.2 on just the manager's GUI port (4119)

Only read this section if you were unable to do a full enforcement on the Deep Security Manager and Relays as described previously in Enforce TLS 1.2 on Deep Security Manager and Enforce TLS 1.2 on the Deep Security Relay.

This section describes how to set the minimum TLS version to TLS 1.2 on port 4119. Applications that connect on port 4119 are typically web browsers and REST or SOAP API clients. Older Deep Security components that do not support TLS 1.2 can continue to connect to the manager (on port 4120, by default) using early TLS or SSL.

  1. Disable early TLS and SSL on the manager's GUI port (4119) (it is possible that it's already disabled):
    1. Open the configuration.properties file in the root of the Deep Security Manager installation directory.
    2. Under serviceName=, look for the protocols= setting.

      This setting defines the protocols that can be used to connect to Deep Security Manager when it is acting as a server to web browsers and REST or SOAP API clients.

    3. If the protocols= setting is not present, add the following line so that only TLS 1.2 is allowed on port 4119:

      protocols=TLSv1.2

    4. Save the file.
  2. Enable older versions of SSL and TLS in the Java Runtime so that older Deep Security Agents and Appliances can continue to connect to the Deep Security Manager on port 4120 by default:

    1. On the Deep Security Manager computer, open the java.security file. On Windows, the default location is c:\Program Files\Trend Micro\Deep Security Manager\jre\lib\security\.
    2. Remove the TLS items in the following line, if they are present:

      jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, EC keySize < 224, DES40_CBC, RC4_40,TLSv1, TLSv1.1

      This setting disables various weak algorithms and protocols in the Java Runtime on Deep Security Manager. By removing TLSv1 and TLSv1.1, you allow these protocols to be used. Note that the protocols= setting in configuration.properties overrides this one, so early TLS continues to be disallowed on port 4119. See this page for details: https://www.java.com/en/configure_crypto.html.

    3. Save the file.
  3. Restart the Deep Security Manager service.

Test that TLS 1.2 is enforced

  1. On a Deep Security component where early TLS 1.2 is enforced, run the following nmap command:
  2. nmap --script ssl-enum-ciphers <ds_host> -p <ds_port> -Pn

    where:

    • <ds_host> is replaced with the IP address or hostname of the manager or relay
    • <ds_port> is replaced with the listening port where TLS is being used (4119 for manager, 4122 for the relay, and 4118 for the agent—if manager-initiated activation is used)

    The response should only list TLS 1.2. Example response:

    PORT STATE SERVICE

    443/tcp open https

    | ssl-enum-ciphers:

    | | TLSv1.2:

    | ciphers:

    | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A

    | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A

    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A

    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A

    | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A

    | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A

    | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A

    | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A

    | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

    | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

    | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C

    | compressors:

Disable TLS 1.2 enforcement

If you enforced TLS 1.2 previously, and now need to disable the enforcement so that early TLS (1.0, 1.1) and SSL connections are accepted by the Deep Security Manager and Relay, follow the instructions below.

Disable TLS 1.2 enforcement on Deep Security Manager

  1. On the Deep Security Manager computer, open the java.security file. On Windows, the default location is c:\Program Files\Trend Micro\Deep Security Manager\jre\lib\security\.
  2. Remove the TLS items from the following line:

    jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, EC keySize < 224, DES40_CBC, RC4_40,TLSv1, TLSv1.1

    This setting disables various weak algorithms and protocols in the Java Runtime on Deep Security Manager. By removing TLSv1 and TLSv1.1, you enable them. See this page for details: https://www.java.com/en/configure_crypto.html.

  3. Save the file.
  4. Restart the Deep Security Manager service.

Disable TLS 1.2 enforcement on the manager's GUI port (4119)

  1. Open the configuration.properties file in the root of the Deep Security Manager installation directory.
  2. Under serviceName=add the following line, exactly as shown:

    protocols=TLSv1,TLSv1.1,TLSv1.2

    This setting defines the protocols that can be used to connect to Deep Security Manager when it is acting as a server to web browsers and REST or SOAP API clients (on port 4119).

  3. Save the file.
  4. Restart the Deep Security Manager service.

Disable TLS 1.2 enforcement on the Deep Security Relay

  1. On Deep Security Manager, at a command prompt, enter:

    dsm_c -action changesetting –name "settings.configuration.restrictRelayMinimumTLSProtocol" -value "TLSv1"

    This command updates all the policies associated with all your Deep Security Relays with the new early TLS 1.0 requirement.

  2. Resend the policies associated with your relays:
    1. In Deep Security Manager, click Computers and find one of your relays in the list of computers. If you're not sure which ones are your relays, at the top, click Administration. On the left, expand Updates and then click Relay Groups. In the main pane, double-click a relay group. Look under the Members heading to see your relays.
    2. Double-click the relay in the list of computers.
    3. In the main pane, click the Actions tab.
    4. Click Send Policy to resend the policy.
    5. Resend the policy to each of your relays.

Guidelines for deploying agents, virtual appliances, and relays after TLS 1.2 is enforced

This section discusses special considerations when deploying agents, virtual appliances and relays when TLS 1.2 is enforced. If you did not enforce TLS 1.2, then there are no special considerations, and you do not need to read this section.

Topics in this section:

General guidelines for deploying new agents and relays when TLS 1.2 is enforced

  • You must deploy 10.0 or later agents and relays. Only 10.0 or later agents and relays support TLS 1.2.
  • If you need to deploy a 9.6 or earlier Deep Security Agent or Relay, you must disable TLS 1.2 enforcement wherever it was enforced (either on the manager, on the relay, or on the manager's GUI port 4119).

Guidelines for using deployment scripts when TLS 1.2 is enforced

After you enable TLS 1.2 enforcement, you can install 10.0 or later agents and relays using deployment scripts. Below are some guidelines to ensure the deployment scripts work:

  1. If you are deploying an agent or relay onto Windows computers, use PowerShell 4.0 or higher, which supports TLS 1.2.
  2. If you are deploying onto Windows XP, 2003, or 2008, where PowerShell 4.0 is not supported, see the Workaround below.
  3. If you are deploying an agent or relay onto Linux, use curl 7.34.0 or higher, which supports TLS 1.2.
  4. If you are deploying onto Linux 6, which uses curl 7.19 by default, do one of the following:
    • upgrade to curl 7.34.0 or later
    • OR

    • See the Workaround below

Workaround

If you enforced TLS 1.2, and...

  • you are deploying onto Windows XP, 2003, or 2008, where PowerShell 4.0 is not supported...

    OR

  • you are deploying onto a Linux 6 computer with curl 7.19 that cannot be upgraded...
  • Do this:

    1. From Deep Security Manager, download the agent installation package for your operating system. See Get Deep Security Agent software for details.
    2. Copy the installation package to your web server.
    3. Follow the instructions in Use a deployment script to add and protect computers, but instead of using Deep Security Manager to generate the script, use the Windows script or Linux script that is provided below.

    Windows script:

    You must set the baseUrl variable to the URL of your agent package on your web server.

    $env:LogPath = "$env:appdata\Trend Micro\Deep Security Agent\installer"

    New-Item -path $env:LogPath -type directory

    Start-Transcript -path "$env:LogPath\dsa_deploy.log" -append

    echo "$(Get-Date -format T) - DSA download started"

    $baseUrl=<server/package>

    echo "$(Get-Date -format T) - Download Deep Security Agent Package" $sourceUrl

    (New-Object System.Net.WebClient).DownloadFile($sourceUrl, "$env:temp\agent.msi")

    if ( (Get-Item "$env:temp\agent.msi").length -eq 0 ) {

    echo "Failed to download the Deep Security Agent. Please check if the package is on the server. "

    exit 1 }

    echo "$(Get-Date -format T) - Downloaded File Size:" (Get-Item "$env:temp\agent.msi").length

    echo "$(Get-Date -format T) - DSA install started"

    echo "$(Get-Date -format T) - Installer Exit Code:" (Start-Process -FilePath msiexec -ArgumentList "/i $env:temp\agent.msi /qn ADDLOCAL=ALL /l*v `"$env:LogPath\dsa_install.log`"" -Wait -PassThru).ExitCode

    Stop-Transcript

    echo "$(Get-Date -format T) - DSA Deployment Finished"

    Linux script:

    Use the script that is appropriate for your Linux distribution.

    Replace <server/package> with the URL of the agent package on your web server.

    For Linux distributions that use the RPM Package Manager:

    #!/usr/bin/env bash

    curl <server/package> -o /tmp/agent.rpm –silent

    rpm -ihv /tmp/agent.rpm

    For Debian-based Linux distributions:

    #!/usr/bin/env bash

    curl <server/package> -o /tmp/agent.deb –silent

    dpkg -i /tmp/agent.deb

Guidelines for deploying the Deep Security Virtual Appliance when TLS 1.2 is enforced

After enforcing TLS 1.2, if you need to deploy a new virtual appliance, make sure you deploy version 10.0 or higher. Use the instructions in other parts of this Help Center to do the deployment. No special tasks are required.