This document will go over the requirements, steps and setup for enabling communication using TLSv1.2 for CA Process Automation.
Hardening network environments to TLSv1.2 is becoming more prevalent and necessary with the added security requirements now in place within most organizations. Some are being implemented in a gradual manner, while others have hard deadlines for full 1.2 restrictions.
The current releases of CA Process Automation fully support using either both TLSv1.1 and v1.2 or operating in a completely restricted TLSv1.2 environment. It is no longer recommended to use SSL v2 or v3 as they have serious vulnerabilities, and TLSv1.0 is only recommended where needed for interoperability, and it does not support modern cipher suites.
Although TLSv1.1 does not support modern cipher suites, Linux and Windows have protocol fixes to mitigate most issues, however TLSv1.2 is still the recommended secure protocol moving forward.
In order to utilize communications over TLSv1.2, CA Process Automation must be installed as secure (SSL) using either the self signed certificated or a third party certificate.
If CA Process Automation has been installed as non SSL, then a reinstall will need to be done to enable SSL.
All versions of Java 8 support the TLSv1.2 protocol, but if you are using Java 7 you must minimally use JDK 1.7 update 95.
If you must upgrade your Java version, do this prior to reinstall. If CA Process Automation is already SSL, then you will need to upgrade Java and modify the c2osvcw.conf file located in /PAM/server/c2o/bin folder for Windows, or the c2osvrd.sh located in /usr/local/CA/PAM/server/c2o for Linux. Modify the Java path to reflect the upgraded version.
Additionally in the c2osvcw.conf or c2osvrd.sh file, a new java variable needs to be added.
For a Windows installation, add the line
To the end of the file. Make sure to increment the number (14) appropriately.
A default installation will show the last 3 lines of this file as:
using .14 is appropriate in this case.
For CA Process Automation installed on Linux, make the following change in c2osvrd.sh :
In the section for SVRDEFINES="
The last line of the file section shows
Change this last line to
-Duser.country="US" \ (please note removal of the second double quotation, a space then the backslash)
Then add the following line below that
-Dhttps.protocols="TLSv1.1,TLSv1.2"" (please note two double quotation marks to close the section properly)
The last two lines should look like:
If you are restricting to only TLSv1.2, then the above protocol specifications should only be added as either
If you are restricting your environment to the TLSv1.2 protocol, please be aware that as CA Process Automation requires CA Embedded Entitlements Manager (CA EEM) for authentication and authorization, the CA EEM release will require an upgrade to version 12.6 to support a fully restricted environment.
If you are using a v1.1 and v1.2 environment, the current release of CA EEM shipped with CA Process Automation will support this.
Most WSDLs currently only support communication using TLSv1.1 and not v1.2, so plan appropriately for the entire implementation.
Most load balancers fully support TLSv1.2, but you will need to enable this within your load balancer configuration. The three that have been internally tested and certified for CA Process Automation (BigIP F5, Apache Tomcat, NGiNX) all support TLSv1.2
If you have multiple CA Products and are planning to restrict your environment to TLSv1.2, please engage with your CA account representative to open a dialog to assist with this move. We want you to be successful and will assist in your endeavor to provide a secure environment for you, your customers and users.