How do I make CA Access Gateway use TLS 1.2
search cancel

How do I make CA Access Gateway use TLS 1.2

book

Article ID: 99216

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Customer needs to ensure that the TLS layer uses secure versions to communicate to backend servers

What are the steps to ensure CA Access Gateway is configured for TLS 1.2?

Environment

R12.52, 12.6, 12.7 and 12.8

Resolution

For the communications between SPS and the backend web servers, you edit the following line in server.conf (under <SPS Home>/proxy-engine/conf): 

versions="TLSv1, TLSv1.1, TLSv1.2" 

The sample line above enables the three TLS versions and no other protocols/versions. Simply delete any TLS versions you do not want to enable from this line (SSL versions can be added, such as SSLv3, but most customers have abandoned SSL in favor of TLS only). 

 

For the communications between users' browsers and the SPS Apache server, edit the following line in <SPS Home>/httpd/extra/httpd-ssl.conf: 

Syntax: SSLProtocol [+|-]protocol

Examples:

To enable all protocols except SSLv2, SSLv3 and TLSv1.0
> SSLProtocol All -SSLv2 -SSLv3 -TLSv1 

To exclude all protocols and enable only TLSv1.2
> SSLProtocol -All +TLSv1.2

Additional Information

For managing Ciphers, use SSLCipherSuite