Unable to disable ECC on DP 907_110 Cell Manager

Hi,

My DP environment contains over 350 clients, almost half of which are W2K3.

My security colleagues have identified a vulnerability that mandated an upgrade (ultimately) to DP 9.07_110, which I have implemented and will be pushing out to all but the W2K3 clients (since they won't upgrade remotely).

For the W2K3s, it has been recommended that we enable Encrypted Communication Control and use that to mitigate the risk on the older servers. I did this yesterday and switched it on on a handful of clients to see what happened. This morning I arrived in to find that a number of backups and copies had either lost connection or failed with a variety of messages.

Having nothing else to look at for the solution, I decided to turn off ECC, and was able to disable it on all but one of the clients, and not at all on the CM.

I recalled reading somewhere that the Cell_info file held the key, and located the last client. I removed the string "encryption 1" from its entry, saved the file and restarted omniinet.exe on the client before refreshing the GUI, where I could see that the server was now (as far as the GUI was concerned) unencrypted.

Tried again to disable it on the CM (thinking that the issue with the last client had prevented it) but without success. Same result at CLI:

C:\Users\cheyenne>omnicc -encryption -status cheyenne.anpost.net
Client Enabled Enabled(CM) Version
cheyenne.anpost.net true true TLSv1-TLSv1.2

C:\Users\cheyenne>omnicc -encryption -disable cheyenne.anpost.net
ERR: cheyennefs.anpost.net
ERR: cheyenne.anpost.net
ERR: dppdmc04.anpost.net
ERR: dppgpo04.anpost.net
-----
Failed to disable encryption for hosts:
cheyennefs.anpost.net
cheyenne.anpost.net
dppdmc04.anpost.net
dppgpo04.anpost.net

At this point, my next thought is to take a copy of the Cell_info file, then edit the live file to remove the "encryption 1" string from the CM members' entries before restarting services again.

My only concern is whether this will be sufficient, or if it might cause more problems than it fixes?

If anyone has had prior experience with this I'd appreciate any advice.

Thanks,

Bob