[DOCS-14083] [OM] Update queryable snapshot/restores to disable TLSv1 and ciphers Created: 06/Jan/21  Updated: 29/Oct/23  Resolved: 18/Mar/21

Status: Closed
Project: Documentation
Component/s: Ops Manager
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Charles Merrill Assignee: Anthony Sansone (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

https://docs.opsmanager.mongodb.com/current/reference/configuration/index.html#queryable-snapshot-configuration


Issue Links:
Backports
Participants:
Days since reply: 2 years, 31 weeks, 6 days ago
Epic Link: DOCSP-3127
Story Points: 2

 Description   

Description

https://jira.mongodb.org/browse/CLOUDP-74113
Disable DH-1024 Ciphers for Queryable Backup ProxyServer listener
was resolved in Ops Manager 4.2.22 and 4.4.6

https://jira.mongodb.org/browse/CLOUDP-70734
Ops Manager Queryable Snapshot Proxy Server Port does not enforce minimum TLS version using mms.minimumTLSVersion
was resolved in 4.2.21 and 4.4.5

but per this comment
"I backported the code however I couldn't disabled TLSv1 and ciphers by default since it will affect other customers. Please advice this client to put the following to conf-mms.properties::

brs.queryable.tls.disabledProtocols=SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.3
brs.queryable.tls.disabledCiphers=TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

These settings are currently undocumented and should possibly be added to the following Documentation for customers to disable TLSv1 and ciphers for queryable snapshot/restores:

Ops Manager Configuration Settings > Queryable Snapshot Configuration
Ops Manager Application Settings > Queryable Snapshot Configuration

Scope of changes

Impact to Other Docs

MVP (Work and Date)

Resources (Scope or Design Docs, Invision, etc.)



 Comments   
Comment by Githook User [ 01/Jul/21 ]

Author:

{'name': 'Anthony Sansone', 'email': 'tony.sansone@mongodb.com', 'username': 'atsansone'}

Message: (DOCSP-15207) Backport DOCS-14083 to v4.4 (#3635)
Branch: v4.4.10
https://github.com/10gen/mms-docs/commit/f901b5c83830eefc9988d297df8fbd72981a5461

Comment by Githook User [ 13/Apr/21 ]

Author:

{'name': 'Anthony Sansone', 'email': 'tony.sansone@mongodb.com', 'username': 'atsansone'}

Message: (DOCS-14083) Added TLS settings for Queryable
Branch: feature-cloud-migration
https://github.com/10gen/mms-docs/commit/14352ea37d6b1707c0d59fe3e74099144f6e9a4e

Comment by Githook User [ 21/Mar/21 ]

Author:

{'name': 'Anthony Sansone', 'email': 'tony.sansone@mongodb.com', 'username': 'atsansone'}

Message: (DOCSP-15207) Backport DOCS-14083 to v4.4 (#3635)
Branch: v4.4
https://github.com/10gen/mms-docs/commit/f901b5c83830eefc9988d297df8fbd72981a5461

Comment by Githook User [ 18/Mar/21 ]

Author:

{'name': 'Anthony Sansone', 'email': 'tony.sansone@mongodb.com', 'username': 'atsansone'}

Message: (DOCS-14083) Added TLS settings for Queryable
Branch: master
https://github.com/10gen/mms-docs/commit/fe85bcae4e72602081b4dc8c8b0dfb5b9de393b0

Comment by Anthony Sansone (Inactive) [ 16/Mar/21 ]

I added these settings for the configuration page only because they were not visible in the Ops Manager Config pages. 

Comment by Anthony Sansone (Inactive) [ 11/Mar/21 ]

xiang.gao: Any objection to documenting these settings?

Generated at Thu Feb 08 08:09:27 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.