TLS1.1 & IS8.0

Shogo_Tatsuzawa1 · June 29, 2016, 10:46am

Hi.

I know that IS 9.5 or later support TLS1.1 (& 1.2).

Is there any workaround for IS 8.0 to communicate with TLS1.1?

Best regards,
Shotat

Mahesh_K_Sreenivas · June 29, 2016, 1:03pm

There is no official workaround for this by SAG.

For more clarity see below notes, correct me if I am wrong.

IS 8.2.2 supports SSLv2, SSLv3, and TLS 1.0 only (NOT 1.1). This is true for outbound and inbound connections.

If you need TLS 1.1 and 1.2 support, you will have to migrate to IS 9.5 and above. Ssupport for TLS v1.1 and v1.2 has been added with a feature named “Use JSSE”. Also “Use JSSE” feature has been backported to IS v9.0 with IS_9.0_SP1_Core_Fix12 or later

Unfortunately, the JSSE provider is only available for HTTPS connections currently. This means that SAG do not support TLSv1.1 or TLSv1.2 for FTPS connections as it currently in the development phase.

Holger_von_Thomsen · June 29, 2016, 1:35pm

Hi,

additional information:

TLS V1.1 and TLS V1.2 require Java 7 instead of Java 6.

So you will have to apply the Java 7 Package to your wM 8 installation.

wM 9.x runs on Java 7 by default.

Regards,
Holger

Mahesh_K_Sreenivas · June 29, 2016, 1:38pm

So applying jvm 7 on wM 8.0 installation will allow TLS1.1 ?

Holger_von_Thomsen · June 29, 2016, 1:46pm

Probably not, but might be worth a try.

Additionally the Fix for the Poodle issue will be needed.

As per my Knowledge this fix is not available for 8.0 only for 8.2.2.

Upgrading to 8.2 is recommended anyway as there is no direct upgrade path from 8.0 to 9.x.

Regards,
Holger

rmg · June 29, 2016, 5:35pm

Yes I echo with Holger and 822 and up having with poodle fix will work on Java1.7.

HTH,
RMG

Mangat_Rai · June 29, 2016, 9:10pm

as per the recent encounter i had with cloud stream, i think just having java 1.7 and up won’t support TLS 1.1.

Cloud stream 9.8 still support only 1.0 and product team is working on a release. Recently Salesforce removed support for TLS1.0 in their sandbox that is when we learnt that though IS supports TLS 1.1 but cloud stream don’t. so it might work or not depending on which component you trying to connect using TLS.

Shogo_Tatsuzawa1 · June 30, 2016, 2:26am

Dear members, Mangat Rai-san,

Thanks for the reply very much.
I understand the migration to v9.5 or later (via 8.2) from 8.0 seems to be the best for TLS1.1 communication.

Mangat Rai-san,

Recently Salesforce removed support for TLS1.0 in their sandbox
that is when we learnt that though IS supports TLS 1.1 but cloud stream don’t.

Just related to this.
A customer of ours is also announced “Recently Salesforce removed support for TLS1.0 in their sandbox”.
So, they are asking about the workaround for TLS1.1 & IS8.0.
(They are not using cloud stream.)

Best regards,
Shtat

Shyam_Kukunuri · June 30, 2016, 11:57am

Hi Every one,

I do have the same issue with the hand shake after the Salesforce moved from TLS1.0 to TLS1.1 and higher.

I have a interesting point here. Once i completed with my fixes to SFDC adapter ( SFDC_8.2_Fix8 ), Java 1.7 to 1.8 and IS core fix to 12, the adapter got enabled. But the scheduler page is not able to display the list of schedulers. It is giving an error [SoftwareAG][Oracle JDBC Driver][Oracle]ORA-00904: “RUN_AT”: invalid identifier… I can see these scheduler details in IS_USER_TASKS table in the internal DB and connected from IS successfully. Can some help me what went wrong here and to be corrected so that i can see the schedulers in the IS admin page. Please find the product components details below.

webMethods IS: 9.5 version
Java Version: 1.8

Fix levels
WmSalesforceAdapter: SFDC_8.2_Fix8
WmRoot: IS_9.5_SP1_Core_Fix12
WmPublic: IS_9.5_SP1_Core_Fix12

Thanks in advance…

Holger_von_Thomsen · June 30, 2016, 1:15pm

Hi Shyam,

please run DB Configurator and migrate the IS database schema to latest version.

You will need to apply DC_9.5_SP1_DBS_Fix5 to your DB Configurator installation before that.

This has been introduced due to the following issue:


PIE-36477

After transitioning to or from daylight savings time, scheduled tasks run twice or not at all.

Integration Server runs scheduled tasks based on the time relative to the time zone. 
This caused issues when entering and exiting daylight savings time, specifically tasks ran twice or not at all.

Now, Integration Server runs scheduled tasks based on coordinated universal time (UTC). 
Because Integration Server runs the tasks without regard to the relative time zone, 
the start and end of daylight savings time does not affect the execution of scheduled tasks.

Important! If you are using an external database for the ISInternal functional alias in Integration Server, 
after installing a fix that includes PIE-36477 and before starting Integration Server, make sure that 
the latest scripts for ISInternal have been applied to the database used by 
the JDBC pool alias associated with the ISInternal functional alias.

Regards,
Holger

Shyam_Kukunuri · June 30, 2016, 2:34pm

Thanks for the quick post Thomsen. I am able to access the schedulers …

William_Wimbrow1 · July 11, 2016, 4:07pm

I am currently having the problem of the Salesforce.com sandbox no longer supporting TLS v1.0. I am running IS 9.6 Core Fix 10 and am using the
pub.client.soapClient to interface with Salesforce.com and it returns “UNSUPPORTED_CLIENT: TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher”. Is there something I am doing wrong. I have modified the IS extended properties to as follows:

watt.net.jsse.client.enabledCipherSuiteList=default
watt.net.jsse.client.enabledProtocols=TLSv1.1,TLSv1.2
watt.net.jsse.server.enabledCipherSuiteList=default
watt.net.jsse.server.enabledProtocols=TLSv1.1,TLSv1.2
watt.net.ssl.client.cipherSuiteList=default
watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.client.handshake.minVersion=tls
watt.net.ssl.client.strongcipheronly=true
watt.net.ssl.server.cipherSuiteList=default
watt.net.ssl.server.handshake.maxVersion=tls
watt.net.ssl.server.handshake.minVersion=tls
watt.net.ssl.server.strongcipheronly=true

Sudhakar_C1 · July 11, 2016, 4:38pm

Hi Will,

Have you restarted the IS after updating the extended settings ?

IS 9.6 with Core Fix10 should support TLS 1.1 and 1.2

-Sudhakar C

William_Wimbrow1 · July 11, 2016, 4:41pm

Yes, the IS has been restarted at least twice since the CORE Fix 10 installed and the Extended Properties have been changed

Sudhakar_C1 · July 11, 2016, 5:10pm

Hi Will,

Have you applied latest SCG_9.6_Entrust Fix ?

Also your Java version should be 1.7 or above.

-Sudhakar C

William_Wimbrow1 · July 11, 2016, 5:16pm

Yes, the SCG_9._Entrust_Fix is included in the Core 10 fix, but it had been installed on our IS before the Core 10 fix. Our Java version is :
Java Version 1.7.0_51 (51.0)

Holger_von_Thomsen · July 11, 2016, 5:20pm

Hi

Java 7 is the default for at least 9.5 SP1 and newer.

I am not sure if updating entrust lib will help here.

As far as i know TLSv1.1 and TLSv1.2 are only supported by using JSSE and Entrust is not JSSE compliant.
See https://techcommunity.softwareag.com/pwiki/-/wiki/Main/Debugging+TLS+SSL+connections+in+Integration+Server for further informations about this.

Regards,
Holger

Shyam_Kukunuri · July 13, 2016, 12:32pm

H Will,

Try giving one more property in setenv.cnf file as below.
# TLS 1.1 SFDC JAVA_OPTS=“-Dhttps.protocols=TLSv1.1”

Check the below fix too…

SFDC fix:
WmSalesforceAdapter 8.2.0.0
SFDC_8.2_Fix8

HTH
Shyam.

William_Wimbrow1 · July 13, 2016, 3:51pm

We do not use the webMethods Salesforce data adapter, it was not available when we started our development work for our interfaces to Salesforce.com.