Enabling cipher suites required for Mercury and Synergis IX integrations on Windows servers - This article explains which cipher suites are required for Mercury integrations on firmware 1.31 and earlier and Synergis IX integrations to work on Windows servers, and how to re-enable them if they were disabled in Group Policy settings. - Mercury | Synergis IX

Product
Synergis IX
Content type
Troubleshooting
Language
English
Last updated
2025-02-04

Enabling cipher suites required for Mercury and Synergis IX integrations on Windows servers

To integrate Mercury controllers on firmware 1.31 and earlier and Synergis IX controllers on your Windows server, ensure that the required cipher suites are enabled. If the required ciphers suites aren't enabled, hardware enrollment fails.

What you should know

The following procedure describes one of many ways to enable cipher suites. If your server is on a Windows domain or managed by local IT, see Manage Transport Layer Security (TLS) in Windows, or contact your IT department.
Specific cipher suites must be enabled, depending on your integration:
Mercury LP controller integration on firmware 1.31 and earlier
Ensure that one of the following is enabled:
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
Mercury EP controller integration on firmware 1.29.7 and earlier
Ensure that the following is enabled:
  • TLS_RSA_WITH_AES_256_CBC_SHA
Synergis IX controller integration
Ensure that one of the following is enabled:
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

For information about enabling the required cipher suites on Streamvault™ appliances, see the Streamvault™ Appliance User Guide.

Procedure

  1. Open the Windows Local Group Policy Editor by opening the Start menu, Run, and typing gpedit.msc.
  2. From the left side menu, navigate to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
  3. Double-click SSL Cipher Suite Order.
  4. In the SSL Cipher Suite Order dialog box, select Not Configured, and then click OK.
    NOTE: This step is required to ensure that the changes are retained after a reboot.
  5. Download the IIS Crypto application.
  6. Run the application.
  7. For Mercury EP integrations, enable TLS 1.1 as a Client protocol:
    1. From the side menu, click Schannel.
    2. In the Client Protocols section, select TLS 1.1.
      IIS Crypto application showing the TLS 1.1 option selected in the Client Protocols section of the Schannel page.
    3. Click Apply.
  8. From the side menu, click Cipher Suites.
  9. Click Add new cipher suite (+).
  10. In the Add a Cipher Suite dialog box, enter the missing cipher suite, and then click OK.
    The new cipher suite is listed.
  11. Repeat the previous step until all missing ciphers suites are added.
  12. At the bottom of the page, click Apply.
  13. In the Reboot is Required dialog box, click OK.
  14. Instead of rebooting the server, restart the Genetec Softwire Controller Host service.

Results

If all the necessary cipher suites were added, the interfaces come back online.