Hello,
We have an enterprise deployment 10.6 that is using a SSL Certificate in production servers, but now we are going to use TLS. This is a production deployment so, my question is which are the best practices to do this?
We have a web server with a wild card certificate. do we need to bind the new TLS certificate, export it and import it to server and portal via admin? is this easy?
Regards,
Diego Llamas
SSL and TLS are protocols for HTTPS. By default, newer versions of ArcGIS Enterprise only support TLS - SSL was effectively deprecated with the POODLE bug.
Modern web servers all support TLS.
I think what you're looking to do is to support ONLY TLSv1.0, TLSv1.1, and TLSv1.2, and not support SSLv3.
Some organizations attempting to meet PCI compliance only support TLSv1.2.
You shouldn't have to acquire a new certificate to support only TLS versions.
At the GIS tier, you can configure the TLS versions and cipher suites you want to support via the ArcGIS Admin API.
At the web tier, the process is different depending on the web server, but for IIS I tend to use the IISCRYPTO tool to manage the protocols and cipher suites my web servers support.
Randall:
Is there any documentation on how TLS protocols for HTTPS impact the Enterprise environment if you are moving from an SSL protocol environment? Is this handled behind the scenes, so no changes are necessary?
Sorry for the delay, just seeing this now.
From ArcGIS 10.4 onward, SSLv3 is disabled in the internal web sever used in ArcGIS Enterprise. Disabling SSLv3 at the web tier shouldn't impact Esri software. We've supported TLS 1.0, 1.1 and 1.2 ever since. However, many groups (including Esri and ArcGIS Online in February) need to support ONLY TLS 1.2 to meet regulatory requirements.
There are some issues moving to a pure TLS 1.2 environment. Support has a new KB out that discusses those impacts.
Be on the lookout for patches for ArcGIS Desktop that address some issues related to TLS 1.2.
I myself as an ArcGIS Online org admin received this email today:
|