-
Title
"TLSv1 was negotiated. Please update server and client to use TLSv1.2 at minimum." errors spamming FglAM log file -
Description
FglAM (Foglight Agent Manager) log files are being spammed with messages similar to the following:
ECHO <com.microsoft.sqlserver.jdbc.TDSChannel> WARN [ConnectionManagementThread-[MSSQLPool-HOSTNAME\INSTANCENAME]-[][MSSQLProfile{host='HOSTNAME', instance= 'INSTANCENAME', username='DOMAIN\USERNAME', authType= 'WINDOWS_CUSTOM', port= '0' useNTLMv2= 'true', socketTimeout= '900', database= 'master', secureConnection= 'OFF', packetSize= '0', ApplicationIntent= 'NONE', enforceSSLVersion= 'NONE', lockTimeout= '10000', codePageOverride = '', selectMethod='' }]] com.quest.glue.core.util.JavaLoggingToQuestBridge - TLSv1 was negotiated. Please update server and client to use TLSv1.2 at minimum. -
Cause
FglAM server and monitored host servers should both be configured to allow for TLSv1.2 use.
TLS Protocols Supported by Windows Operating Systems:
Windows OS TLS 1.0 Client TLS 1.0 Server TLS 1.1 Client TLS 1.1 Server TLS 1.2 Client TLS 1.2 Server TLS 1.3 Client TLS 1.3 Server Windows Vista/Windows Server 2008 Enabled Enabled Not supported Not supported Not supported Not supported Not supported Not supported Windows Server 2008 with Service Pack 2 (SP2) Enabled Enabled Disabled Disabled Disabled Disabled Not supported Not supported Windows 7/Windows Server 2008 R2 Enabled Enabled Disabled Disabled Disabled Disabled Not supported Not supported Windows 8/Windows Server 2012 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported Windows 8.1/Windows Server 2012 R2 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported Windows 10, version 1507 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported Windows 10, version 1511 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported Windows 10, version 1607/Windows Server 2016 Standard Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported Windows 10, version 1703 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported Windows 10, version 1709 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported Windows 10, version 1803 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported Windows 10, version 1809//Windows Server 2019 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported Windows 10, version 1903 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported Windows 10, version 1909 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported Windows 10, version 2004 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported Windows 10, version 20H2 Enabled Enabled Enabled Enabled Enabled Enabled Not Supported Not Supported Windows 10, version 21H1 Enabled Enabled Enabled Enabled Enabled Enabled Not Supported Not Supported Windows 10, version 21H2 Enabled Enabled Enabled Enabled Enabled Enabled Not Supported Not Supported Windows Server 2022 Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Windows 11 Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled -
Resolution
Resolution 1
This is the recommended resolution
On both the Foglight Agent Manager and the monitored host server
Enable TLS v1.2 protocol on the Agent Manager Windows server as described in Knowledgebase article 4310066. Modern Operating Systems supported by the FglAM should already support TLS 1.2 and higher..
SQL Server instance on the monitored host
1). For SQL Server 2008, Apply critical updates to the SQL Server instances as per Microsoft Knowledgebase article KB3135244. Note: SQL Server 2005 instances cannot be updated to accept TLS v1.2 connections.
2). Set the SQL Server Agent Status Property value of "Enforce SSL Version" to TLSv1.2, then save the changes and restart the SQL Server agent.
3). If necessary because the messages continue to be printed in the FglAM or agent log files, disable the TLS 1.0 (and TLS 1.1) protocols on the monitored host as per the attached Word document. Users must be logged into Supportlink to view and download this file.
Resolution 2After migrating the agent(s) to a separate FglAM, change the driver from Microsoft to Data Direct as described in KB 4288009. This is suggested as a temporary configuration to monitor older Windows and SQL Server systems until they can be upgraded to a version that supports TLS 1.2 and 1.3.
A separate FglAM should be used to monitor the older systems using the Data Direct driver, with the primary/main FglAM continuing to use the newer Microsoft driver because it has full support and compatibility SQL Server agent functionality.