000038977 - How to disable TLS 1.0 and 1.1 in RSA Archer to help with performance in 6.6 and beyond

Document created by RSA Customer Support Employee on Jun 9, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038977
Applies ToVersions: RSA Archer 6.6x, especially important in 6.7x+
IssueIssues present as slow save conditions, unexpected errors. 

With new security measures, RSA Archer has issues with TLS 1.0 and 1.1 still being present on ANY servers, including the database server. 

Some or all of the following errors will be noted in the Windows System log with a source of "Schannel" 

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 42. The Windows SChannel error state is 250.



A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.



An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
TasksThe TLS 1.0 and 1.1 must be disabled on ALL servers for both client and server-side and then servers must be rebooted. 
ResolutionTwo options to disable TLS 1.0 and TLS 1.1:

OPTION 1:
If you are allowed to install software on their server - get this free tool
https://www.nartac.com/Products/IISCrypto

It lets you adjust settings by just checking or unchecking the boxes and the tool does the work.

User-added image


OPTION 2:
You will need to edit the registry.
Both client and server must be changed on all servers including the database server. Servers must be rebooted when completed.

Edit registry  keys for TLS 1.0 and 1.1 (whatever is present) and set both to disable:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

User-added image
User-added image



For both options:
Additional things that need to be checked:
  • You have run the Archer installer and recreated a new sha512 certificate with the installer. You can check the certificate in the certificate store.
  • You have added the registry keys to EACH Archer server as per 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
 
NotesARCHER-31177 reference

Attachments

    Outcomes