Customer needs to ensure that the TLS layer uses secure versions to communicate to backend servers
What are the steps to ensure CA Access Gateway is configured for TLS 1.2?
For the communications between SPS and the backend web servers, you edit the following line in server.conf (under <SPS Home>/proxy-engine/conf):
versions="TLSv1, TLSv1.1, TLSv1.2"
The sample line above enables the three TLS versions and no other protocols/versions. Simply delete any TLS versions you do not want to enable from this line (SSL versions can be added, such as SSLv3, but most customers have abandoned SSL in favor of TLS only).
For the communications between users' browsers and the SPS Apache server, edit the following line in <SPS Home>/httpd/extra/httpd-ssl.conf:
Syntax: SSLProtocol [+|-]protocol
Examples:
To enable all protocols except SSLv2, SSLv3 and TLSv1.0
> SSLProtocol All -SSLv2 -SSLv3 -TLSv1
To exclude all protocols and enable only TLSv1.2
> SSLProtocol -All +TLSv1.2
For managing Ciphers, use SSLCipherSuite