Checking TLS compliance
For improved security, Ivanti recommends that TLS v1.2 is used and TLS v1.0 and v1.1 are disabled. You can check which servers that Sentry connects with support TLS v 1.2 using one of the following methods from the Standalone Sentry command line interface (CLI):
Both methods return an OK or FAILED value for each server that is checked.
OK indicates that Ivanti Standalone Sentry is able to successfully connect with the server on TLS v1.2.
FAILED indicates that Ivanti Standalone Sentry cannot connect with the server on TLS v1.2.
The results are also recorded into a log file /var/log/TLSTrafficTool-timestamp.log. The log file is included in ShowTech-All. In case of failure, additional error message content as provided by OpenSSL displays and is recorded in the log file. Ivanti recommends upgrading the failed servers to support TLS v1.2.
Using CLI command to check TLS compliance
You can use a CLI command instead of the utility.
Use the following Ivanti Standalone Sentry command in EXEC PRIVILEGED mode to check TLS compliance:
tlscheck {all | server <server> [port]}
The command checks the servers that Sentry connects with and returns an OK or FAILED value for each server it checks.
To check TLS compliance for all servers that Ivanti Standalone Sentry connects with, enter the following command:
tlscheck all
To check TLS compliance for specified servers that Ivanti Standalone Sentry connects with, enter the following command:
tlscheck server server [port]
where:
- server is the IP address or the hostname of the server
- port is the port on which the server listens. If the port is not specified, 443 is used.
Running TLS compliance utility
Ivanti provides an utility that you can execute from the Standalone Sentry CLI that checks if Sentry can successfully connect with the server on TLS v1.2.
From the Ivanti Standalone Sentry command line interface, enter the following command in EXEC PRIVILEGED mode:
#install rpm url url_for_the_rpm
The command executes a script that checks the servers that Sentry connects with and returns an OK or FAILED value for each server it checks. The script uninstalls after each run.