Disabling the TLS 1.0 protocol in Enterprise Vault

book

Article ID: 100041638

calendar_today

Updated On:

Description

How to disable TLS 1.0

 

  1. On the Enterprise Vault server, open the Registry Editor.

  2. Create the following subkey, if it does not already exist:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server

  3. Under the Server subkey, create the following entries:

    Name Type Value
    DisabledByDefault DWORD 1
    Enabled DWORD 0

 

How disabling TLS 1.0 may affect some Enterprise Vault functionality

 

You may need to take additional steps to ensure that all Enterprise Vault functionality continues to work as expected, after you disable the TLS 1.0 protocol.

Note: Weak protocols and ciphers are blocked in EV version 12.4 and later.  For more information refer to the Weak protocols and ciphers are blocked section of the Upgrade Instructions document. 

User access through the Enterprise Vault Outlook Add-In for Windows and Client for Mac OS X

 

After you disable TLS 1.0, users cannot use either of the following to access their archived items:

  • The Enterprise Vault Outlook Add-In on computers that are running Windows 7 Original Release. To restore access, encourage any affected users to upgrade to Windows 7 Service Pack 1 and its latest updates.
  • The Enterprise Vault Client for Mac OS X. Veritas is currently investigating this issue, which may be resolved in a future version of the software.

To ensure that Windows users can continue to access Enterprise Vault through the Outlook Add-In and browser-based facilities like Enterprise Vault Search, they must check that TLS 1.1 and TLS 1.2 are enabled in Internet Explorer.

To check that TLS 1.1 and TLS 1.2 are enabled

  1. On the user's computer, open Internet Explorer.
  2. On the Tools menu, click Internet Options.
  3. Click the Advanced tab.
  4. Browse to the Security settings.
  5. Ensure that both Use TLS 1.1 and Use TLS 1.2 are selected.

 

Enterprise Vault facilities that use WinHTTP

After you disable TLS 1.0, issues can arise with several Enterprise Vault facilities that use Microsoft Windows HTTP Services (WinHTTP). For example:

  • Users with Vault Caches may be unable to access the items in them.
  • OWA 2010 users may be unable to open or restore archived items, or archive items manually.

On any computer where these issues arise, you can resolve them by ensuring that both TLS 1.1 and TLS 1.2 are fully supported and enabled by default. For instructions on how to do this, see the following article on the Microsoft site:

https://support.microsoft.com/KB/3140245

For example, to specify TLS 1.1 and TLS 1.2 as default secure protocols on the affected computer, assign the value 0x00000A00 to the registry entry DefaultSecureProtocols under the following subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

 

.NET 4.5.2-based applications

 

.NET 4.5.2-based applications that access the Enterprise Vault virtual directories in Internet Information Services (IIS) may be unable to do so after you disable TLS 1.0. One example of such an application is the sample search application in the Archive Discovery Search Service (ADSS) SDK. However, you may have other, third-party applications that access these virtual directories. You can restore access by setting the registry entry SchUseStrongCrypto on the computer where you have installed the .NET application.

To set the SchUseStrongCrypto registry entry

  1. On the computer where you have installed the .NET 4.5.2-based application, open the Registry Editor.

  2. Navigate to the following subkey:

    • For 32-bit .NET Framework: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
    • For 64-bit .NET Framework: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319
  3. Under the v4.0.30319 subkey, create a DWORD entry called SchUseStrongCrypto and give it a value of 1.

 

Enterprise Vault and SQL Server on the same computer

 

For security reasons, we strongly recommend that you do not install Enterprise Vault and SQL Server on the same computer. However, if you do want to do this, it is important to note that connectivity issues can arise between the two after you disable TLS 1.0. To resolve these issues, you may need to re-enable TLS 1.0 by removing the registry entries with which you disabled it.

Powered by Wolken Software