How to Enable TLS 1.2 inside CA Transaction Manager

Document ID : KB000097903
Last Modified Date : 24/05/2018
Show Technical Document Details
Introduction:
This document provides instructions to enable TLS 1.2 protocol inside CA Transaction Manager for DS and AHS communication.
Background:

Directory Serves (example Master Card, Visa, American Express etc.) have issued mandates to use TLS 1.2 protocol for DS to ACS and ACS to AHS connectivity.
This document provides instructions to enable TLS 1.2 protocol inside CA Transaction Manager for DS and AHS communication.

Environment:
CA Transaction Manager 7.5.3 and above
Instructions:

Steps to enable TLS 1.2 inside CA ACS.

 

Recommendation-

These steps are to be tested inside UAT/lower environment before migrating the same to production.

1- Navigate to ARCOT_HOME/Conf directory
2- Take a backup of acs.ini and store it in a backup directory, please do not keep the backup ini file in the same directory i.e. conf
3- Open acs.ini
4- Look for the parameters DSSecurityLayer and AHSSecurityLayer
5- The parameter values are the protocols enabled
     example -

         DSSecurityLayer=TLSv1,SSLv3,SSLv2

         AHSSecurityLayer=TLSv1,SSLv3,SSLv2

6- Please modify the values to add the required protocol,
      example -

         DSSecurityLayer=TLSv1,SSLv3,SSLv2,,tls1_1,tls1_2

         AHSSecurityLayer=TLSv1,SSLv3,SSLv2,,tls1_1,tls1_2


7- Please ensure that the values added are exactly as shown in the example above.
8- Save and close acs.ini
9- Restart the ACS and test the connectivity form DS and to AHS.

 

Warning/Important Note -

If you are disabling any protocol-

Please note that the protocol configuration inside CA ACS is not individual to any DS and a single parameter is used for all DS and connectivity i.e.
This also applies to AHS, there is a single parameter that is used to configure connectivity protocol for both MC and VISA DS.

This means if one disables a connectivity protocol, say SSLv3, under the parameter DSSecurityLayer then SSLv3 will be disabled for incoming connections from all Directory Servers.

Recommendation-

CA recommends adding the latest compatible protocol to the list existing set of protocol and only removing a deprecated protocol after a confirmation has been received from all Directory Servers that connect to that ACS.