How to Enable TLS 1.2 inside CA Transaction Manager

Document ID : KB000097903
Last Modified Date : 29/06/2018
Show Technical Document Details
Introduction:
This document provides instructions to enable TLS 1.1 and 1.2 protocols inside CA Transaction Manager for DS and AHS communication.
Background:

Directory Serves (example Master Card, Visa, American Express etc.) have issued mandates to use TLS 1.2 protocol for DS to ACS and ACS to AHS connectivity.
This document provides instructions to enable TLS 1.1 and 1.2 protocols inside CA Transaction Manager for DS and AHS communication.

Environment:
CA Transaction Manager 7.5.3 and above
Instructions:

Steps to enable TLS 1.2 inside CA ACS.

These steps must be tested inside UAT/lower environment before migrating the changes to production.

1- Navigate to ARCOT_HOME/Conf directory
2- Take a backup of acs.ini and store it in a backup directory, please do not keep the backup ini file in the same directory i.e. conf
3- Open acs.ini
4- Look for the parameters DSSecurityLayer and AHSSecurityLayer
5- The parameter values are the protocols enabled
     example -

         DSSecurityLayer=TLSv1,SSLv3,SSLv2

         AHSSecurityLayer=TLSv1,SSLv3,SSLv2

6- Please modify the values to add the required protocol,
      example -

         DSSecurityLayer=TLSv1,SSLv3,SSLv2,,tls1_1,tls1_2

         AHSSecurityLayer=TLSv1,SSLv3,SSLv2,,tls1_1,tls1_2


7- Please ensure that the values added are exactly as shown in the example above.
8- Save and close acs.ini
9- Restart the ACS and test the connectivity form DS and to AHS.

 

Warning/Important Note -

If you are disabling any protocol-

Please note that the protocol configuration inside CA ACS is not specific to any individual DS or AHS and common parameters are being used for all DS/AHS and connectivity i.e. VISA, MC, Amex etc.

This means if one disables a connectivity protocol, say SSLv3, under the parameter DSSecurityLayer then SSLv3 will be disabled for incoming connections from all Directory Servers.

Recommendation-

CA recommends adding the latest compatible protocol to the list existing set of protocol and only removing a deprecated protocol after a confirmation has been received from all Directory Servers that connect to that ACS.