如何實作傳輸層安全性 1.2How to implement Transport Layer Security 1.2

重要

已不再支援此版本的 Operations Manager,建議升級至 Operations Manager 2019This version of Operations Manager has reached the end of support, we recommend you to upgrade to Operations Manager 2019.

本主題描述如何為 System Center Operations Manager 管理群組啟用傳輸層安全性 (TLS) 通訊協定 1.2 版。This topic describes how to enable Transport Layer Security (TLS) protocol version 1.2 for a System Center Operations Manager management groups.

執行下列步驟來啟用 TLS 通訊協定 1.2 版:Perform the following steps to enable TLS protocol version 1.2:

注意

使用 Operations Manager 2016 UR9 與更新版本時,支援 Microsoft OLE DB Driver 18 for SQL Server (建議使用)。Microsoft OLE DB Driver 18 for SQL Server (recommended) is supported with Operations Manager 2016 UR9 and later.

  1. 在所有管理伺服器和 Web 主控台伺服器上安裝 SQL Server 2012 Native Client 11.0Microsoft OLE DB Driver 18 for SQL ServerInstall SQL Server 2012 Native Client 11.0 or Microsoft OLE DB Driver 18 for SQL Server on all management servers and the Web console server.
  1. 在所有管理伺服器和 Web 主控台伺服器上安裝 SQL Server 2012 Native Client 11.0Install SQL Server 2012 Native Client 11.0 on all management servers and the Web console server.
  1. 在所有管理伺服器、閘道伺服器、Web 主控台伺服器和裝載 Operations Manager 資料庫和報表伺服器角色的 SQL Server 上,安裝 .NET Framework 4.6Install .NET Framework 4.6 on all management servers, gateway servers, Web console server, and SQL Server hosting the Operations Manager databases and Reporting server role.
  2. 安裝支援 TLS 1.2 的必要 SQL Server 更新Install the Required SQL Server update that supports TLS 1.2.
  3. 在所有管理伺服器上安裝 ODBC 11.0ODBC 13.0Install ODBC 11.0 or ODBC 13.0 on all management servers.
  4. 針對 System Center 2016 - Operations Manager,安裝更新彙總套件 4 或更新版本。For System Center 2016 - Operations Manager, install Update Rollup 4 or later.
  5. 將 Windows 設定為只使用 TLS 1.2。Configure Windows to only use TLS 1.2.
  6. 將 Operations Manager 設定為只使用 TLS 1.2。Configure Operations Manager to only use TLS 1.2.

Operations Manager 產生 SHA1 和 SHA2 自我簽署憑證。Operations Manager generates SHA1 and SHA2 self-signed certificates. 如此才能啟用 TLS 1.2。This is required to enable TLS 1.2. 如果使用 CA 簽署憑證,請確定憑證是 SHA1 或 SHA2。If CA-signed certificates are used, make sure that the certificates are either SHA1 or SHA2.

注意

如果您的安全性原則限於 TLS 1.0 和 1.1 版,則安裝新的 Operations Manager 2016 管理伺服器、閘道伺服器、Web 主控台和 Reporting Services 角色會失敗,因為安裝媒體不包含支援 TLS 1.2 的更新。If your security policies restrict TLS 1.0 and 1.1, installing a new Operations Manager 2016 management server, gateway server, Web console, and Reporting services role will fail because the setup media does not include the updates to support TLS 1.2. 安裝這些角色的唯一方式是在系統上啟用 TLS 1.0、套用更新彙總套件 4,然後在系統上啟用 TLS 1.2。The only way you can install these roles is by enabling TLS 1.0 on the system, apply Update Rollup 4, and then enable TLS 1.2 on the system. 這項限制不適用於 Operations Manager 1801 版。This limitation does not apply to Operations Manager version 1801.

將 Windows 設定為只使用 TLS 1.2 通訊協定Configure Windows to only use TLS 1.2 protocol

使用下列方法之一,將 Windows 設定為只使用 TLS 1.2 通訊協定。Use one of the following methods to configure Windows to use only the TLS 1.2 protocol.

方法 1:手動修改登錄Method 1: Manually modify the registry

重要

請小心遵循本節中的步驟。Follow the steps in this section carefully. 如果您不當修改登錄,可能會發生嚴重的問題。Serious problems might occur if you modify the registry incorrectly. 在修改之前,請先備份登錄,以便發生問題時還原之用。Before you modify it, back up the registry for restoration in case problems occur.

使用下列步驟啟用/停用全系統上的所有的 SCHANNEL 通訊協定。Use the following steps to enable/disable all SCHANNEL protocols system-wide. 我們建議您為連入通訊啟用 TLS 1.2 通訊協定,並為所有傳出通訊啟用 TLS 1.2、TLS 1.1 和 TLS 1.0 通訊協定。We recommend that you enable the TLS 1.2 protocol for incoming communications; and enable the TLS 1.2, TLS 1.1, and TLS 1.0 protocols for all outgoing communications.

注意

進行這些登錄變更不會影響 Kerberos 或 NTLM 通訊協定的使用。Making these registry changes does not affect the use of Kerberos or NTLM protocols.

  1. 使用具有本機系統管理認證的帳戶來登入伺服器。Log on to the server by using an account that has local administrative credentials.

  2. 以滑鼠右鍵按一下 [開始],在 [執行] 文字方塊中鍵入 regedit,然後按一下 [確定],啟動登錄編輯程式。Start Registry Editor by right-clicking Start, type regedit in the Run textbox, and then click OK.

  3. 找到下列登錄子機碼:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ProtocolsLocate the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.

  4. Protocols 下建立 SSL 2.0SSL 3.0TLS 1.0TLS 1.1TLS 1.2 的子機碼。Create a subkey under Protocols for SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.

  5. 在您稍早建立的每個通訊協定版本子機碼下,建立 ClientServer 子機碼。Create a Client and Server subkey under each protocol version subkey you created earlier. 例如,TLS 1.0 的子機碼將是 HKLM\System\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\ClientHKLM\System\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\ServerFor example, the sub-key for TLS 1.0 would be HKLM\System\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client and HKLM\System\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server.

  6. 若要停用每個通訊協定,請在 ServerClient 下建立下列 DWORD 值:To disable each protocol, create the following DWORD values under Server and Client:

    • Enabled [值 = 0]Enabled [Value = 0]
    • DisabledByDefault [值 = 1]DisabledByDefault [Value = 1]
  7. 若要啟用 TLS 1.2 通訊協定,請在 HKLM\System\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\ClientHKLM\System\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server 下建立下列 DWORD 值:To enable the TLS 1.2 protocol, create the following DWORD values under HKLM\System\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client and HKLM\System\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server:

    • Enabled [值 = 1]Enabled [Value = 1]
    • DisabledByDefault [值 = 0]DisabledByDefault [Value = 0]
  8. 關閉 [登錄編輯程式]。Close the Registry Editor.

方法 2:自動修改登錄Method 2: Automatically modify the registry

以系統管理員模式執行下列 Windows PowerShell 指令碼,自動將 Windows 設定為只使用 TLS 1.2 通訊協定。Run the following Windows PowerShell script in Administrator mode to automatically configure Windows to use only the TLS 1.2 Protocol.

$ProtocolList       = @("SSL 2.0","SSL 3.0","TLS 1.0", "TLS 1.1", "TLS 1.2")  
$ProtocolSubKeyList = @("Client", "Server")  
$DisabledByDefault = "DisabledByDefault"  
$Enabled = "Enabled"  
$registryPath = "HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\"  

foreach($Protocol in $ProtocolList)  
{  
    Write-Host " In 1st For loop"  
    foreach($key in $ProtocolSubKeyList)  
    {  
        $currentRegPath = $registryPath + $Protocol + "\" + $key  
        Write-Host " Current Registry Path $currentRegPath"  

        if(!(Test-Path $currentRegPath))  
        {  
            Write-Host "creating the registry"  
            New-Item -Path $currentRegPath -Force | out-Null        
        }  
        if($Protocol -eq "TLS 1.2")  
        {  
            Write-Host "Working for TLS 1.2"  
            New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null  
            New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null  

        }  
        else  
        {  
            Write-Host "Working for other protocol"  
            New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "1" -PropertyType DWORD -Force | Out-Null  
            New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "0" -PropertyType DWORD -Force | Out-Null   
        }   
    }  
}  

Exit 0

將 Opeations Manager 設定為只使用 TLS 1.2Configure Operations Manager to use only TLS 1.2

完成 Operations Manager 所有先決條件的設定之後,請在所有管理伺服器、裝載 Web 主控台角色的伺服器,以及任何安裝代理程式的 Windows 電腦上,執行下列步驟。After completing the configuration of all prerequisites for Operations Manager, perform the following steps on all management servers, the server hosting the Web console role, and on any Windows computer the agent is installed on.

重要

請小心遵循本節中的步驟。Follow the steps in this section carefully. 如果您不當修改登錄,可能會發生嚴重的問題。Serious problems might occur if you modify the registry incorrectly. 進行任何修改之前,請先備份登錄,以便發生問題時還原之用。Before making any modifications, back up the registry for restoration in case problems occur.

手動修改登錄Manually modify the registry

  1. 使用具有本機系統管理認證的帳戶來登入伺服器。Log on to the server by using an account that has local administrative credentials.
  2. 以滑鼠右鍵按一下 [開始],在 [執行] 文字方塊中鍵入 regedit,然後按一下 [確定],啟動登錄編輯程式。Start Registry Editor by right-clicking Start, type regedit in the Run textbox, and then click OK.
  3. 找到下列登錄子機碼:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319Locate the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319.
  4. 在這個子機碼下建立 DWORD 值 SchUseStrongCrypto,並使用值 1Create the DWORD value SchUseStrongCrypto under this subkey with a value of 1.
  5. 找到下列登錄子機碼:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319Locate the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319.
  6. 在這個子機碼下建立 DWORD 值 SchUseStrongCrypto,並使用值 1Create the DWORD value SchUseStrongCrypto under this subkey with a value of 1.
  7. 重新啟動系統以使設定生效。Restart the system for the settings to take effect.

自動修改登錄Automatically modify the registry

以系統管理員模式執行下列 Windows PowerShell 指令碼,自動將 Operations Manager 設定為只使用 TLS 1.2 通訊協定。Run the following Windows PowerShell script in Administrator mode to automatically configure Operations Manager to use only the TLS 1.2 Protocol.

# Tighten up the .NET Framework
$NetRegistryPath = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319"
New-ItemProperty -Path $NetRegistryPath -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null

$NetRegistryPath = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319"
New-ItemProperty -Path $NetRegistryPath -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null

其他設定Additional settings

如果這是針對 System Center 2016 - Operations Manager 的實作,在套用更新彙總套件 4 之後,請務必匯入此彙總套件所包含的管理組件,其位於下列目錄中: \Program Files\Microsoft System Center 2016\Operations Manager\Server\Management Packs for Update RollupsIf this is being implemented for System Center 2016 - Operations Manager, after applying Update Rollup 4, be sure to import the management packs that are included in this rollup located in the following directory: \Program Files\Microsoft System Center 2016\Operations Manager\Server\Management Packs for Update Rollups.

如果您要使用 Operations Manager 監視 Linux 伺服器的支援版本,請遵循適合您發行版本的網站指示來設定 TLS 1.2。If you are monitoring a supported version of Linux server with Operations Manager, follow the instructions on the appropriate website for your distro to configure TLS 1.2.

稽核收集服務Audit Collection Services

對於稽核收集服務 (ACS),您必須在 ACS 收集器伺服器上的登錄中進行額外的變更。For Audit Collection Services (ACS), you must make additional changes in the registry on ACS Collector server. ACS 使用 DSN 來建立資料庫的連線。ACS uses the DSN to make connections to the database. 您必須更新 DSN 設定,讓它們可針對 TLS 1.2 運作。You must update DSN settings to make them functional for TLS 1.2.

  1. 使用具有本機系統管理認證的帳戶來登入伺服器。Log on to the server by using an account that has local administrative credentials.

  2. 以滑鼠右鍵按一下 [開始],在 [執行] 文字方塊中鍵入 regedit,然後按一下 [確定],啟動登錄編輯程式。Start Registry Editor by right-clicking Start, type regedit in the Run textbox, and then click OK.

  3. 找到 OpsMgrAC 的下列 ODBC 子機碼:HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\OpsMgrACLocate the following ODBC subkey for OpsMgrAC: HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\OpsMgrAC.

    注意

    DSN 的預設名稱是 OpsMgrAC。The default name of DSN is OpsMgrAC.

  4. ODBC Data Sources 子機碼下,選取 DSN 名稱 OpsMgrACUnder ODBC Data Sources subkey, select the DSN name OpsMgrAC. 這包含要用於資料庫連線的 ODBC 驅動程式名稱。This contains the name of ODBC driver to be used for the database connection. 如果您已安裝 ODBC 11.0 時,請將此名稱變更為 ODBC Driver 11 for SQL Server,或是如果您已安裝 ODBC 13.0,則將此名稱變更為 ODBC Driver 13 for SQL ServerIf you have ODBC 11.0 installed, change this name to ODBC Driver 11 for SQL Server, or if you have ODBC 13.0 installed, change this name to ODBC Driver 13 for SQL Server.

  5. OpsMgrAC 子機碼下,更新已安裝之 ODBS 版本的 DriverUnder the OpsMgrAC subkey, update the Driver for the ODBS version that is installed.

    • 如果已安裝 ODBC 11.0,請將 Driver 項目變更為 %WINDIR%\system32\msodbcsql11.dll。If ODBC 11.0 is installed, change the Driver entry to %WINDIR%\system32\msodbcsql11.dll.
    • 如果已安裝 ODBC 13.0,請將 Driver 項目變更為 %WINDIR%\system32\msodbcsql13.dll。If ODBC 13.0 is installed, change the Driver entry to %WINDIR%\system32\msodbcsql13.dll.

    或者,在 [記事本] 或其他文字編輯器中建立並儲存下列 .reg 檔。Alternatively, create and save the following .reg file in Notepad or another text editor. 若要執行儲存的 .reg 檔案,請按兩下該檔案。To run the saved .reg file, double-click the file.

    • 若為 ODBC 11.0,請建立下列 ODBC 11.0.reg 檔案:For ODBC 11.0, create the following ODBC 11.0.reg file:

      [HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources]
      "OpsMgrAC"="ODBC Driver 11 for SQL Server"
      
      [HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\OpsMgrAC]
      
      [HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\OpsMgrAC]
      "Driver"="%WINDIR%\\system32\\msodbcsql11.dll"
      
    • 若為 ODBC 13.0,請建立下列 ODBC 13.0.reg 檔案:For ODBC 13.0, create the following ODBC 13.0.reg file:

      [HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources]
      "OpsMgrAC"="ODBC Driver 13 for SQL Server"
      
      [HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\OpsMgrAC]
      
      [HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\OpsMgrAC]
      "Driver"="%WINDIR%\\system32\\msodbcsql13.dll"
      

後續步驟Next steps