Migrate SSL Certificate to TLS Certificate

269
3
10-02-2018 12:40 PM
DiegoLlamas
Occasional Contributor III

Hello,

We have an enterprise deployment 10.6 that is using a SSL Certificate in production servers, but now we are going to use TLS. This is a production deployment so, my question is which are the best practices to do this?

We have a web server with a wild card certificate. do we need to bind the new TLS certificate, export it and import it to server and portal via admin? is this easy?

Regards,

Diego Llamas

0 Kudos
3 Replies
RandallWilliams
Esri Regular Contributor

SSL and TLS are protocols for HTTPS. By default, newer versions of ArcGIS Enterprise only support TLS - SSL was effectively deprecated with the POODLE bug.

Modern web servers all support TLS.

I think what you're looking to do is to support ONLY TLSv1.0, TLSv1.1, and TLSv1.2, and not support SSLv3.

Some organizations attempting to meet PCI compliance only support TLSv1.2.

You shouldn't have to acquire a new certificate to support only TLS versions. 

At the GIS tier, you can configure the TLS versions and cipher suites you want to support via the ArcGIS Admin API. 

At the web tier, the process is different depending on the web server, but for IIS I tend to use the IISCRYPTO tool to manage the protocols and cipher suites my web servers support. 

MichaelVolz
Esteemed Contributor

Randall:

Is there any documentation on how TLS protocols for HTTPS impact the Enterprise environment if you are moving from an SSL protocol environment?  Is this handled behind the scenes, so no changes are necessary?

RandallWilliams
Esri Regular Contributor

Sorry for the delay, just seeing this now.

From ArcGIS 10.4 onward, SSLv3 is disabled in the internal web sever used in ArcGIS Enterprise. Disabling SSLv3 at the web tier shouldn't impact Esri software. We've supported TLS 1.0, 1.1 and 1.2 ever since. However, many groups (including Esri and ArcGIS Online in February) need to support ONLY TLS 1.2 to meet regulatory requirements.

There are some issues moving to a pure TLS 1.2 environment.  Support has a new KB out that discusses those impacts. 

Esri Support Important Updates for the ArcGIS Platform and Transport Layer Security (TLS) Protocol S... 

Be on the lookout for patches for ArcGIS Desktop that address some issues related to TLS 1.2. 

I myself as an ArcGIS Online org admin received this email today:

Important Update for ArcGIS and TLS

Esri is committed to providing strong security for the ArcGIS platform by using the latest industry standards and best practices for security protocols. To meet these industry expectations, we are making an important update to ArcGIS Online in February 2019 that is likely to affect most ArcGIS software and custom solutions. With this change, we are enforcing the use of TLS (Transport Layer Security) version 1.2 only and will remove support for earlier TLS versions 1.0 and 1.1.
 
More details about Esri’s support for TLS, including patches and instructions for updating software, can be found by visiting support.esri.com/en/tls.
 
Who is affected?
Users of most ArcGIS software or custom solutions using Esri technology may be affected by this planned update to TLS protocol v1.2.
 
What do I need to do now?
Go to the Esri TLS Support page for more information and specific actions you may need to take in advance of this update.
 
If this email is not applicable to you, please forward this email to the one who manages your ArcGIS software or custom solutions using Esri technology.