This article describes the steps required to to disable usage of TLS v1.0 in the API Gateway for improved compliance with PCI 3.1.
As per version 3.1 of PCI council DSS, SSL versions and TLSv1.0 are no longer acceptable after June 30, 2016 for PCI compliance. SSL and early TLS are not considered to be strong cryptography and cannot be used as a security control after June 30, 2016. The best response is to disable SSL entirely and migrate to a more modern encryption protocol, which at this time of publication is a minimum of TLSv1.1, although users are strongly encouraged to consider TLSv1.2.
The provided solution was tested in a SSG 8.x & 9.x series nodes and ESM 1.13 monitoring enabled on all nodes.
The following instructions should be followed if TLS 1.0 needs to be disabled completely from the CA API Gateway and ESM components:
The files noted in steps 10-12 may be overwritten in an upgrade to the Gateway application. They are not considered to be "upgrade safe" as they are not typically meant to be modified by users. This should be kept in mind when upgrading the Gateway and may need to become part of the upgrade procedure as those three steps may need to be reapplied after an upgrade.