Information about support TLS 1.2

book

Article ID: 129744

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Apple, Google, Microsoft and Mozilla have announced that from the beginning of 2020, the support for TLS 1.0 / 1.1 in web browsers will be discontinued sequentially and it will be disabled.

Apple (Safari) Deprecation of Legacy TLS 1.0 and 1.1 Versions
Google (Chrome) Modernizing Transport Security
Microsoft (IE, Edge) Modernizing TLS connections in Microsoft Edge and Internet Explorer 11
Mozilla (Firefox) Mozilla Security Blog Removing Old Versions of TLS

Since systems that do not support TLS 1.2 are expected to be unable to access from Web browsers, user would like to confirm the support status of CA SSO products.

Environment

Single Sign On : R12.52SP1.CR.XX      R12.52 SP2
Federation Manager : R12.52 SP1 or higher

Resolution

For access from a web browser, TLS is used only for accessing AdminUI and accessing Access Gateway.
WebAgent and WAOP can not be notified by CA support because they are problems with the Web server and application server on which they are incorporated. (What user choose for them web server or application server is them choice of user or partner.)

1) About siteminder
It is possible to check whether TLS is supported depending on the version of JDK that has been introduced. Please refer to the following URL.
Tech Tip - CA Single Sign-On:Administrative UI: Does the standalone Admin UI installation support TLSv1.2 ?

2) About Access Gateway
Please refer to the following URL.
Support for TLS 1.1 and TLS 1.2 on CA Access Gateway (formerly CA Secure Proxy Server)

3) About Federation Manager
In Federation Manager 12.52SP1, SSL / TLS is disabled by default, and user need to enable the settings if customers want to use it.
SSL Administration for Federation System

The latest CR09 includes Apache, Tomcat, and OpenSSL compatible with TLS 1.2. If customers are using an unsupported version, please apply the latest CR.
 

Additional Information

Except check conf file who can also check the TLS version by using IE.

(1)Display the page who want to check on an SSL compatible page, [right-click] on the screen, and click [Properties].
(2)The version of TLS currently used is displayed in the "Connection" field of the property screen.