Some Dell management consoles (e.g., OpenManage Essentials) may experience communication issues with discovered iDRAC 7/8 devices after upgrading their firmware to version 2.40.40.40, or with CMC versions 5.21 (M1000e), 2.2 (VRTX), or 1.4 (FX2) and higher.
In accordance with recently discovered vulnerabilities with the Transport Layer Security (TLS) 1.0 cryptographic protocol, disabling TLS 1.0, then enabling TLS 1.1 and 1.2 is the best method of addressing security concerns. Beginning with iDRAC firmware version 2.40.40.40 and higher, TLS version 1.0 will be disabled by default. CMC devices beginning with version 5.21 and higher for M1000e, 2.2 and higher for VRTX, and 1.4 and higher for FX2 will only have TLS 1.2 enabled. With this change, one must ensure that their operating systems, remote devices, and web browsers fully support TLS 1.1 and 1.2, or communication issues can occur with Dell devices and within the following Dell management consoles:
The most currently released browsers and operating systems already support TLS 1.1 and 1.2, and come with them enabled by default. However, there are some older Windows operating systems and Internet Explorer browsers that either do not support TLS 1.1 and 1.2, or support them but do not have them enabled by default.
Verifying your Operating Systems
Refer to Table 1 to help you identify which Windows operating systems will be affected by this change:
Table 1: Operating System Support Matrix
Operating System TLS 1.0 TLS 1.1 TLS 1.2 Windows Vista Supported Not Supported Not Supported Windows Server 2008 Supported Not Supported Not Supported Windows 7 Supported Supported, disabled by default Supported, disabled by default Windows Server 2008 R2 Supported Supported, disabled by default Supported, disabled by default Windows Server 2012 Supported Supported, disabled by default Supported, disabled by default Windows 8.1 and Newer Supported Supported Supported Windows Server 2012 R2 and Newer Supported Supported Supported
Note: For more information on the TLS protocols, refer to Wikipedia article Transport Layer Security.
Verifying your Internet Explorer and TLS 1.1 and 1.2 Support
Internet Explorer 8 is no longer supported by Microsoft as of January 12, 2016.
Systems running IE 9 and 10 will need to have TLS 1.1 and/or TLS 1.2 enabled before being able to negotiate at these newer security protocol versions.
Internet Explorer 11 and higher have TLS 1.1 and 1.2 enabled by default.
Note: For more information on Internet Explorer support boundaries, refer to the Microsoft Internet Explorer Support Matrix.
Verifying your iDRAC/CMC and TLS 1.1 and 1.2 Support
Supported TLS protocols can differ between iDRAC and CMC firmware versions. Use Table 2 below to identify which iDRACs and/or CMCs in your environment will require an upgrade to support TLS 1.1 and 1.2.
Table 2: iDRAC and CMC TLS Support Matrix
Firmware Version TLS 1.0 TLS 1.1 TLS 1.2 iDRAC 6 Modular < 3.65 Supported Not Supported Not Supported iDRAC 6 Modular 3.75+ Supported Supported Supported iDRAC 6 < 1.98 Supported Not Supported Not Supported iDRAC 6 1.99+ Supported Supported Supported iDRAC 7 < 1.66.65 Supported Not Supported Not Supported iDRAC 7/8 2.10.10.10 to 2.30.30.30 Supported Supported Supported iDRAC 7/8 2.40.40.40+ Disabled Supported Supported CMC M1000e 5.2+ Disabled Disabled Supported CMC VRTX 2.2+ Disabled Disabled Supported CMC FX2 1.4+ Disabled Disabled Supported Dell recommends updating your iDRACs and/or CMCs to the latest firmware to take advantage of the latest features and updates. If your iDRAC or CMC has been identified to NOT support TLS 1.1 and 1.2, visit the Dell Support Site to download the latest firmware release.
Windows Vista and Server 2008
For Windows operating systems that do not support TLS 1.1 or 1.2, one will have to upgrade the operating systems to take advantage of these newer cryptographic protocols.
Windows 7, Server 2008 R2, and 2012
These Windows server operating systems have been identified as supporting TLS 1.1 and 1.2, but both are disabled by default.
Proceed to Microsoft Knowledge Base article "Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows" and follow the instructions provided to acquire the supported patch and registry changes.
Important: The application of the Microsoft Hot Fix must be accompanied with the required registry changes or the undesired iDRAC state (e.g., Unknown) will persist. Once the registry changes are made you will need to reboot the server.
Windows 8.1 and Server 2012 R2
No changes are needed. TLS 1.1 and 1.2 are already supported and enabled by default.
Internet Explorer 9 and 10
For systems running IE 9 or 10, perform the following to enable TLS 1.1 and/or TLS 1.2:
- Open the Internet Properties control panel (inetcpl.cpl).
- Click Advanced for the Advanced tab.
- Under the Settings section, click Use TLS 1.1 and Use TLS 1.2 (Figure 1).
Figure 1: Security section of Internet Properties
Note: These changes can also be deployed using Group Policies.
For more information, refer to Microsoft Technet article "Managing Browser Settings with Group Policy Tools".
Internet Explorer 11 and newer
For systems running Internet Explorer 11 or newer, no changes are needed since TLS 1.1 and 1.2 are fully supported and enabled by default.
iDRAC Web GUI and RACADM
iDRAC Web GUI and RACADM use the same API that is used in Internet Explorer to securely connect. Use the procedure outlined in the "Preparation for Enabling TLS 1.1/1.2" section of this article to ensure you can connect to the iDRAC after disabling TLS 1.0.
RACADM with System Accounts
If RACADM is being used with system based service accounts (non-local users), some additional registry keys need to be added for TLS 1.1 and 1.2 to function properly. Please see the More information section in the following Microsoft Knowledge Base article: https://support.microsoft.com/en-us/kb/3140245 (Applies to: Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2012)
Note: Some systems may require you to follow the instructions in Microsoft Article 2977292: Microsoft security advisory: Update for Microsoft EAP implementation that enables the use of TLS: October 14, 2014 before TLS 1.1 and 1.2 are fully enabled.
Modifying TLS setting on iDRAC 6 firmware 2.90 (Monolithic) or 3.85 (Modular) and higher
Use the following local RACADM command to modify the TLS setting on an iDRAC 6 running firmware 2.90 (Monolithic) or 3.85 (Modular) and higher:
racadm tlsEncryptionStrength set 1 --webserverrestart
NOTE: --webserverrestart parameter is optional
For remote iDRACs, use the following remote RACADM command:
racadm -r (IP_or_FQDN_iDRAC) -u (username) -p (password) tlsEncryptionStrength set 1 --webserverrestart
0 = TLS 1.0 and higher
1 = TLS 1.1 and higher
Modifying TLS setting on iDRAC 7/8 firmware 2.40.40.40 and higher
Use the following local RACADM command to modify the TLS setting on an iDRAC 7/8 running firmware 2.40.40.40 and higher:
racadm set iDrac.WebServer.TlsProtocol 1
For remote iDRACs, use the following remote RACADM command:
racadm -r (IP_or_FQDN_iDRAC) -u (username) -p (password) set iDrac.WebServer.TlsProtocol 1
0 = TLS 1.0 and higher
1 = TLS 1.1 and higher
2 = TLS 1.2 only
Modifying TLS setting on CMC firmware 5.2 (M1000e), 2.2 (VRTX), 1.4 (FX2) and higher
Use the following local RACADM command to modify the TLS setting on a CMC running firmware 5.2 (M1000e), 2.2 (VRTX), 1.4 (FX2) and higher:
racadm config -g cfgRacTuning -o cfgRacTuneTLSProtocolVersionEnable 1
For remote iDRACs, use the following remote RACADM command:
racadm -r (IP_or_FQDN_iDRAC) -u (username) -p (password) config -g cfgRacTuning -o cfgRacTuneTLSProtocolVersionEnable 1
0 = TLS 1.0 and higher
1 = TLS 1.1 and higher
2 = TLS 1.2 only