Oracle Announces Removal of Support for Transport Layer Security Protocol 1.0 and 1.1; How Does that Affect Me?
Oracle has announced that as of May 3, 2019, the use of Transport Layer Security Protocols 1.0 and 1.1 will no longer be supported. Communications to Cloud products will only be supported with TLS1.2.
The announcement was made in the following February What’s New communications from Oracle:
The WHAT has come; now WHO is affected?
There are many ways to connect to the Cloud, so to better understand them, let’s break down the more popular ways of connecting and the common technology that these tools use for their connection, HTTPS:
- Web Browsers
- cURL / PowerShell
- Financial Data Quality Management, Enterprise Edition (FDMEE)
EPMAutomate is pretty much a done deal. If there are issues or fixes needed, Oracle will be releasing an update to go along with the Cloud deployment. Keep an eye out on the What’s New pages as well as a notification when running EPMAutomate itself.
Both recent versions of Internet Explorer and FireFox both support TLS1.2 out-of-the-box. It might not be enabled based on IT policies, but the functionality is present and easy to check.
Internet Explorer > Tools > Internet Options > Advanced
Firefox > about:config > security.tls.version
Value 1 = TLS-1.0 and a Value 4 = TLS-1.3
Now if you have ventured out into custom scripting, EPMAutomate doesn’t count in this situation, but have fully embraced REST…. then cURL and PowerShell might need some tweaks as well. This is the start of the real reason why Oracle has started to outline and share information with the end-user community.
As a result, these solutions will need to be updated and retested. For this purpose, Oracle has stated that you can early request, via Oracle Support, a TLS1.2-only POD for testing. I highly recommend this, as it has provided some great insight for Alithya. We were also able to pass along our findings to Oracle early to help stream-line the patching process of FDMEE; more on this later.
cURL scripts will need to be updated to use the ”--tlsv1.2” command when being invoked.
For PowerShell, you will need to add the following line in your scripts:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
The thing that really got me excited: FDMEE!
The last topic that Oracle mentions is if you use FDMEE on-premise. If you are like me, an FDMEE fanatic, then you’ll know that this caused all the triggers in my brain to start firing. All the things that I do in FDMEE will need to be tested to make sure they comply and work. The things I use in my daily activities are:
- JSON based RestFUL API calls in Jython scripts
- Target Application Registrations to Cloud Applications
I quickly shot off an Oracle Support ticket to get myself a TLS1.2 POD. Oracle responded in relatively short time and stated that my POD was ready, and I had it for roughly two weeks for testing. Without any changes to my virtual-lab, I attempted to connect to see what happens. Sure enough, I received an error:
I also imported an LCM of a previous Cloud application to get around this error to see what a set of custom Jython scripts with JSON/RestFUL API would produce and received similar errors:
…as well as the out-of-the-box Refresh Metadata & Refresh Members options:
I confirmed with my colleagues in Development that this was the expected result when TLS is not at the right levels and all the appropriate patches are set up and configured. Knowing this, I also tested with my browser option disabled and received the same result. So now that I know I have a good starting point, I was off to the races to figure out how to continue.
Unfortunately, the links that Oracle provided in the What’s New announcement appear to be broken and not public. As a result, I had to create an SR to gain access to the information. After I received them and did some light reading, I was able to formulate a patch strategy, apply the necessary patches, apply the registry updates, and test again.
This time I was able to run successful tests of both FDMEE scripts and Oracle adaptor connections to the Cloud.
Great… Now what do we do?
Patching the environments was not always an easy task. It took quite a bit of time to complete as there were multiple products that needed updates. Most of them weren’t standard EPM (HFM, Planning, etc.) products that needed updating: WebLogic, JRockit, JDK, OHS, etc. all needed to be updated, but because these are the building blocks on which the EPM suite runs, they caused update dependencies into the EPM products we used.
Oracle has stated that this is going into effect on May 3rd which is right around the corner. Alithya, an Oracle Platinum Partner, is here to help you assess your current EPM installation and build that patch plan.
Even if you don’t use the Cloud today but are thinking about moving to the Cloud at some point, it is important to make sure your environment is ready and that you have the necessary support.
For more information, contact us at firstname.lastname@example.org.