Hello Dojo Community,
we have a cluster of 5 DMAs that host a couple of Cisco Nexus elements. The Cisco Nexus protocol uses SNMP and NX API to poll data from Cisco Nexus Ethernet switches. On most agents this is working fine and both communication paths are running fine. One one recently added agent we see in a communication capture, that the handshake for the secure communication of the NX API communication is executed using SSLv3 instead of TSL1.2 like on all other agents. This causes the handshake to fail.
When we execute the same API commands outside of DataMiner from the server OS we see, that TSL 1.2 is used.
I understand, that DataMiner normally uses the default Windows settings for chosing the Transport Layer Security method.
Could there be a misconfiguration in DataMiner, that overrides this?
I've noticed that the Cisco Nexus connector consumes the NX API through a QAction by use of .NET Framework's HttpClient instead of a dedicated HTTP interface in the connector.
A dedicated HTTP interface is built directly on the native WinHTTP API and will use the registry settings that you've already put in place. HttpClient is actually another layer on top of that and might need some additional settings when targeting .NET Framework 4.6 (and earlier) which is the case for QActions.
In order to make it select the strongest available protocol by default, you'll need to add the SchUseStrongCrypto registry key and set its value to 0x00000001.
HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto: 0x00000001
And on 64-bit versions of Windows, it needs to be stored in the following location as well.
HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto: 0x00000001
As a reference, this procedure is documented in Configure for strong cryptography.
Many thanks. I changed these settings in the registry.
I compared them with the registry settings on the other DMAs, that are hosting elements with functional NX API connection. There these values were not present at all, same as the DMA with the issue.
So I also checked the installed .NET versions. There were less versions installed on the DMA with the issue. (.NET 6.13 and .NET 5.0.17 (x86). So I installed the same version for x86 and x64 on the agent and restarted the server. After that change the elements could communicate via NX API.
Issue resolved, many thanks for your help!
Update: After setting the default protocol the communication is now using TSL1.0, but still not working correct. Seems at least TSL1.1, better TSL1.2 is expected.
https://community.dataminer.services/question/which-version-of-winhttp-and-ssl-tls-is-used-by-default/
Again we tested it outside of DataMiner and there still TSL1.2 is used for API communication.