How do I make CA Access Gateway use TLS 1.2
search cancel

How do I make CA Access Gateway use TLS 1.2


Article ID: 99216


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


Customer needs to ensure that the TLS layer uses secure versions to communicate to backend servers

What are the steps to ensure CA Access Gateway is configured for TLS 1.2?


R12.52, 12.6, 12.7 and 12.8


For the communications between SPS and the backend web servers, you edit the following line in server.conf (under <SPS Home>/proxy-engine/conf): 

versions="TLSv1, TLSv1.1, TLSv1.2" 

The sample line above enables the three TLS versions and no other protocols/versions. Simply delete any TLS versions you do not want to enable from this line (SSL versions can be added, such as SSLv3, but most customers have abandoned SSL in favor of TLS only). 


For the communications between users' browsers and the SPS Apache server, edit the following line in <SPS Home>/httpd/extra/httpd-ssl.conf: 

Syntax: SSLProtocol [+|-]protocol


To enable all protocols except SSLv2, SSLv3 and TLSv1.0
> SSLProtocol All -SSLv2 -SSLv3 -TLSv1 

To exclude all protocols and enable only TLSv1.2
> SSLProtocol -All +TLSv1.2

Additional Information

For managing Ciphers, use SSLCipherSuite