Important Update for ArcGIS and TLS

5321
30
11-15-2018 08:21 AM
RandallWilliams
Esri Regular Contributor
5 30 5,321

Important Update for ArcGIS and TLS

Esri is committed to providing strong security for the ArcGIS platform by using the latest industry standards and best practices for security protocols. To meet these industry expectations, we are making an important update to ArcGIS Online on April 16, 2019 that is likely to affect most ArcGIS software and custom solutions. With this change, we are enforcing the use of TLS (Transport Layer Security) version 1.2 only and will remove support for earlier TLS versions 1.0 and 1.1.
 
More details about Esri’s support for TLS, including patches and instructions for updating software, can be found by visiting support.esri.com/en/tls.
 
Who is affected?
Users of most ArcGIS software or custom solutions using Esri technology may be affected by this planned update to TLS protocol v1.2.
 
What do I need to do now?
Go to the Esri TLS Support page for more information and specific actions you may need to take in advance of this update.

Visit the GeoNet ArcGIS Platform and Transport Layer Security (TLS 1.2) Forum‌ to ask questions, view additional information and connect with Esri staff subject matter experts. 
 

30 Comments
George_Thompson
Esri Frequent Contributor
DerekLaw
Esri Esteemed Contributor

FYI,

Learn more details in this blog:
2019 ArcGIS Transport Security Improvements 

Hope this helps,

WengNg1
New Contributor III

Hi ,

With the upgrade to TLS 1.2, will ArcGIS Online then be unable to communicate with any published services in ArcGIS Server running the old 1.1/1.0 protocol (e.g. 10.3 and below?)

Thanks,

Weng

RandallWilliams
Esri Regular Contributor

Hi, 

The answer is 'it depends'. The software may be impacted based upon the operating system ArcGIS Server is installed on and the workflows your organization uses. 

Here's a doc that should help:

FAQ: How is ArcGIS Enterprise and its associated software components, ArcGIS Server and Portal for A... 

MichaelVolz
Esteemed Contributor

Can you please provide an example of 

  • Registering items in ArcGIS Online via the ArcGIS Server Manager interface?

Maybe provide some screenshots.

RandallWilliams
Esri Regular Contributor

Good question, and sure thing. When you're working with a stand-alone (unfederated) instance of ArcGIS Server, under the sharing tab, you'll see where you can associate the GIS Server with ArcGIS Online or some other Portal, like this:sharing settings

On a federated instance, this dialog looks like this:

federated manager

In either case, you can update sharing details for a service from manager.

If you're working with a stand alone instance of ArcGIS Server, once you've signed into the portal, you can click the little sharing icon next to the secure service 'lock' icon, and share a reference to the service to a group:

share to group

If your GIS Server is already federated with a Portal,  you don't need to sign in because the security model is owned by the Portal, and if you've logged into ArcGIS Server Manager, you're also logged into the Portal. 

Hope that helps!

RandallWilliams
Esri Regular Contributor

In essence, the TLS issues a user may see in ArcGIS Enterprise come down to features that are used when the software acts as a CLIENT, not as a SERVER. ArcGIS Enterprise as a SERVER has supported TLS for some time. It's various client components that can have TLS related issues. An example - the ArcGIS Server print service. When using the print service, ArcGIS Server acts as as client to some GIS Server (quite often that server is itself). The print service makes an export map request to the server, and uses the response to create printed output, and places the output in a virtual directory. At that point, the browser client makes a request to ArcGIS Server to pull the output down. 

RandallWilliams
Esri Regular Contributor

Also, I'd be remiss if I didn't add a call to action for users working with older versions of ArcGIS Enterprise to upgrade - preferably to 10.6.1 or 10.7 upon its release.

  • At 10.4.1, we introduced the ability to update supported TLS versions and cipher suites via the ArcGIS Admin API. 

  • ArcGIS 10.3.x will be in Mature Support starting in December 2018. Software in mature support will receive no further patches, hot fixes, or service packs.

  • ArcGIS 10.3.x still supports SSLv3. SSLv3 is no longer secure. This issue can be addressed at the web tier by disabling SSLv3 on the web adaptor/reverse proxy server. 

With this in mind, it's important for users on older versions of ArcGIS Software to be planning upgrades. 

MichaelVolz
Esteemed Contributor

I am getting a packaging error when publishing services up to AGOL from ArcMap 10.5.1.  Could the security protocol update have anything to do with this issue?

RandallWilliams
Esri Regular Contributor

It shouldn't. TLS changes on ArcGIS Online won't go into effect until February.

CraigPennington
New Contributor III

Maybe I'm misunderstanding this, but It looks like in order to use some capabilities, ArcMap, for example, has to support TLS 1.2.  ESRI will release such a version in "first half of 2019".  But the requirement for TLS 1.2 starts in February, likely before a supporting version of ArcMap is available.  So we have to patch the latest version available.  The timing of the product releases and TLS 1.2 requirement seem strange.

BradleyAndrick3
New Contributor III

Question: Is there information for software versions that are not at the most current release? 

My question specifically is related to the Runtime SDK for .NET:

FAQ: How do I enable TLS 1.2 for ArcGIS Runtime SDK for .NET? 

This is all I can find in the TLS FAQ docs:

I have an application that is build with ArcGIS Runtime SDK for .NET v100.2 and there is no mention of the impact of this. There have been a few bugs that have limited us to that version until the next release of the SDK. 

The only mention of older 100.x versions is in regards to their support status, this does not help with TLS impact information.  

Just curious if there was a place to find this info?

RexHansen
Esri Contributor

Hi Bradley, 

    The text on 100.4 basically applies to all 100.x releases of the ArcGIS Runtime SDK for .NET.   With respect to .NET, the TLS version used can be defined by the .NET Framework, application logic, or operating system.  Best practice is the operating system defines the version: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls    What this means is as long as the machine/device on which the .NET Runtime app is running is configured to use TLS 1.2 or greater, the client will use it.  To confirm with the app in question, you can review the network traffic to see which TLS version is being used.

-Rex

George_Thompson
Esri Frequent Contributor

I would continue to visit the patch download page for ArcMap: ArcGIS Desktop TLS Patch 

There are already patches for 10.4 and 10.2.1 available now.

InternationalSOSStaging_US
New Contributor

One of our .net applications uses ArcGIS geocoding service ( https://geocode.arcgis.com/arcgis/rest/services/ ). 

For the TLS change we are going to update its code to start supporting TLS1.2 .

We have following two questions:

1. Do we know what is the exact date in February when TLS1.0/1.1 would be discontinued for GeoCoding service? 

2. Do we have any test environment of Geodcing service where TLS1.0/1.1 is already disabled to test out our changes?

KoryKramer
Esri Community Moderator

I'm checking with our teams here to see if I can get a tighter date for when we expect the change to take effect and also when we can expect to have test services live.

I will circle back here hopefully within the next day or so with an update.  

Thank you for your patience.

MichaelVolz
Esteemed Contributor

Derek:

I get this warning when looking at the Security tab in AGOL:

Was this added to AGOL to help organizations prepare for the update of AGOL in Feb.2019 when http access will no longer be allowed?

Would checking the box for Allow access to the organization through https only simulate the change that ESRI will be making to AGOL, so ArcMap 10.5.1 clients without the patch would be unable to publish up to AGOL?

InternationalSOSStaging_US
New Contributor

Kory Kramer  Thanks  Kory.

Did you hear back from the team about the date and test environment?

KoryKramer
Esri Community Moderator

Here is what I have now.

1. It looks like the switch to TLS 1.2 will be in late February.

2. We're hoping to make test services available this week.

Sorry for the lag in responding as I waited for the best available information.

RandallWilliams
Esri Regular Contributor

Hi Michael,

In February we'll be changing ArcGIS Online so that HTTPS connections can only be made via TLS 1.2. Currently ArcGIS Online supports TLSv1.0, TLSv1.1, and TLSv1.2.

Later this year (Q4 expected) we'll be updating ArcGIS Online to require HTTPS and disabling plaintext HTTP. 

You're correct that this warning was put in place to gently nudge users toward HTTPS so that they have time to test workflows and generally become accustomed. 

Regarding your question:

No - checking this box would just force you to use HTTPS when working with your ORG. The patches for ArcGIS Desktop are specifically to support TLS 1.2. If you checked this box, at this point your users wouldn't see a failure because they'll just use older versions of TLS to connect to ArcGIS Online. It wouldn't be until the 20th of February that they'd experience an issue when connecting to ArcGIS Online using the Add Data button.

We'll be releasing a list of TLS 1.2 only endpoints very soon (with instructions) with which users can test the experience.

Best,

Randall 

KoryKramer
Esri Community Moderator

February 20th is the date planned for the switch to occur in ArcGIS Online.

Here is how to check the connection:

How To: Test ArcGIS TLS 1.2 connections to ArcGIS Online 

MichaelVolz
Esteemed Contributor

Thank you for the great information for testing purposes.

RandallWilliams
Esri Regular Contributor

All, 

Due to the Government Shutdown and complications associated, we've pushed the date for this change back to April 16, 2019.

InternationalSOSStaging_US
New Contributor

Hi, Kory the documentation has a test url for geo-coding, which is: https://geocode-tlstest.arcgis.com/arcgis/ ,
do you buy any chance also have a test url equivalent to "https://www.arcgis.com/sharing/oauth2/token" used for token operation?

KoryKramer
Esri Community Moderator

The test services are found in the technical article referenced above: How To: Test ArcGIS TLS 1.2 connections to ArcGIS Online   There isn't a plan to provide others at this time.

MarkusRuottinen
New Contributor II

At the moment it seems that test service  for geocoding doesn't respond at all

https://geocode-tlstest.arcgis.com/arcgis/
StephanieWendel
Esri Contributor

Hi Markus Ruottinen!

Thanks for reporting that! We've checked the service and it should be responding correctly now. Please post again or submit a support case if there are any further access problems with the service or questions about the TLS changes. 

MichaelVolz
Esteemed Contributor

Randall:

My org is having server issues, so we are stopping all servers.  I have stopped services in development and tried to open ArcGIS Server (AGS) Manager and I receive the following error which I was not expecting:

Http/1.1 Service Unavailable

Would this indicate that my AGS environment is running with http protocol using TLS1.1 which will be going away?

RandallWilliams
Esri Regular Contributor

Not necessarily. That's just the current version of the HTTP protocol as described by the RFC. 

Hypertext Transfer Protocol -- HTTP/1.1 

If you're running 10.4 or higher, you can check your TLS protocol version via the admin api - http://yourserver.domain.com/arcgis/admin/security/config

security config

You'd also want to validate the web server that runs your web adaptor. 

If it's IIS, you can use IISCRYPTO to easily check. 

DanielleKulas
Occasional Contributor III

Hi Randall,

I'm wondering if ESRI is still planning to update ArcGIS Online to require HTTPS and disable plain text HTTP this year (you said Q4 expected in your January reply) or if this has been pushed back. Will we receive email communications from ESRI warning us of any impending HTTP disabling like the TLS changes? I'd like to  give my users a heads up and check their content, ideally with a timeframe in mind but I can't find any other dates for the ESRI HTTPS switch in my searching. 


Thanks,

Danielle