Directory Serves (example Master Card, Visa, American Express etc.) have issued mandates to use TLS 1.2 protocol for DS to ACS and ACS to AHS connectivity.
This document provides instructions to enable TLS 1.1 and 1.2 protocols inside CA Transaction Manager for DS and AHS communication.
These steps must be tested inside UAT/lower environment before migrating the changes to production.
1- Navigate to ARCOT_HOME/Conf directory
2- Take a backup of acs.ini and store it in a backup directory, please do not keep the backup ini file in the same directory i.e. conf
3- Open acs.ini
4- Look for the parameters DSSecurityLayer and AHSSecurityLayer
5- The parameter values are the protocols enabled
example -
DSSecurityLayer=TLSv1,SSLv3,SSLv2
AHSSecurityLayer=TLSv1,SSLv3,SSLv2
6- Please modify the values to add the required protocol,
example -
DSSecurityLayer=TLSv1,SSLv3,SSLv2,,tls1_1,tls1_2
AHSSecurityLayer=TLSv1,SSLv3,SSLv2,,tls1_1,tls1_2
7- Please ensure that the values added are exactly as shown in the example above.
8- Save and close acs.ini
9- Restart the ACS and test the connectivity form DS and to AHS.
Please note that the protocol configuration inside CA ACS is not specific to any individual DS or AHS and common parameters are being used for all DS/AHS and connectivity i.e. VISA, MC, Amex etc.
This means if one disables a connectivity protocol, say SSLv3, under the parameter DSSecurityLayer then SSLv3 will be disabled for incoming connections from all Directory Servers.
CA recommends adding the latest compatible protocol to the list existing set of protocol and only removing a deprecated protocol after a confirmation has been received from all Directory Servers that connect to that ACS.