Important Security Enhancement Notification

Overview

As part of our continuous effort to align with industry best practices and data integrity, we are implementing changes to our network security standards, specifically related to HTTPS services.  On November 1, 2017, we will implement these changes in an effort to maintain the highest security standards and promote the safety of customer data.

To ensure you do not experience any service disruption, we ask that you review the information below and ensure that your system will support the planned changes.  After these changes, any web browser or system interface that is not able to support these changes will not be able to access our HTTPS based services.

What is Changing?

  • Encryption Protocol.  We will disable support for any transport encryption protocol below TLS 1.2.  Please see the FAQ section for more information on TLS.
  • Cipher Suites.  We will disable support for all medium and low level ciphers, as we will support high ciphers only.

Which Services Will Be Affected by These Changes?

All of our services that are available over HTTPS will be included in this change.

Web Browser Based Services.  Any of our sites that you access through a web browser will be included with this change.  If you are unsure of the specific sites that you access that are affected, please contact your client manager for a list.

System-to-System Integrations.  Any of our services that are accessed from your system over HTTPS will be included with this change.  This would include API calls, SSO integrations, and EDI integrations.  If you are unsure of the specific sites that your system accesses for system-to-system integrations over HTTPS, please contact your client manager for a list.

 

How Can I Make Sure I Am Ready?

Browser Compatibility

Most modern web browser versions since 2014 will be able to support these changes by default.  However, to check whether you are using an older browser that will not be compatible with these changes, please see below.

  • Browser Compatibility Test:  You can visit SSL Labs to check the current capabilities of your browser.  If you see the message "Your user agent has good protocol support" under the Protocol Support section, then good news!  Your browser is already capable of supporting the changes we will be making.  If you do not receive this message, then you may need to contact your IT department about updating your browser settings.  Refer to the FAQ section for a list of compatible browsers.
  • Test Environments:  As an alternative to the SSL Labs site mentioned above, we invite you to visit any of our non-production sites after Monday, September 25, 2017, and verify that you are able to access them as you normally do.  If you are unfamiliar with the non-production sites that are available to you, then please contact your client manager.  If you are unable to access the site, then you may need to contact your IT department about updating your browser settings.  Refer to the FAQ section for a list of compatible browsers.

System-to-System Integrations Compatibility

Test Environments:  We will be applying the same changes to our non-production test environments on Monday, September 25, 2017.  You will be able to test your system integration against our non-production site after this change to verify that you are able to access them as you normally do.  If you are unfamiliar with the non-production sites that are available to you, then please contact your client manager.

What If I Won't Be Ready?

If your organization will not be able to support these changes by November 1, 2017, then please have your Security Officer submit a request to security@covisint.com to arrange a discussion with our security team.

What Else Should I Know?

Additional Information About Covisint Network Security

In addition to the planned changes that are described above, please be aware that we use SHA-256 as the standard cryptographic hash algorithm level for all certificates that are used for network encryption.  Additionally, Covisint supports Perfect Forward Secrecy using 2048 bit keys.

Which Application Platforms are Capable of Supporting TLS 1.2?

Please see the table below for TLS 1.2 compatibility by browser.

Platform or Library

Compatibility Notes

Java (Oracle)

Compatible with the most recent version, regardless of operating system

Java 8 (1.8) update u32 and higher

Compatible with TLS 1.1 or higher by default.

Java 7 (1.7)

update u26 and higher

Enable TLS 1.1 and TLS 1.2 using the https.protocols Java system property for HttpsURLConnection. To enable TLS 1.1 and TLS 1.2 on non-HttpsURLConnection connections, set the enabled protocols on the created SSLSocket and SSLEngine instances within the application source code. Switching to IBM Java may be an effective workaround if upgrading to a newer Oracle Java version isn't feasible.

Java 6 (1.6) update u121 and higher

 

Enable TLS 1.1 using the https.protocols Java system property for HttpsURLConnection. To enable TLS 1.1 on non-HttpsURLConnection connections, set the enabled protocols on the created SSLSocket and SSLEngine instances within the application source code. This Java 6 update and newer updates are not publicly available and require a support contract for Java 6 from Oracle.

Java 6 (1.6) and below (publicly available version)

Not compatible with TLS 1.1 or higher encryption. Switching to IBM Java may be an effective workaround if upgrading to a newer Oracle Java version isn't feasible.

Java (IBM)

 

Java 8

Compatible with TLS 1.1 or higher by default. You may need to set com.ibm.jsse2.overrideDefaultTLS=true if your application or a library called it by it uses SSLContext.getinstance("TLS").

Java 7 and higher, Java 6.0.1 service refresh 1 (J9 VM2.6) and higher, Java 6 service refresh 10 and higher

Enable TLS 1.2 using the https.protocols Java system property for HttpsURLConnection and the com.ibm.jsse2.overrideDefaultProtocol Java system property for SSLSocket and SSLEngine connections, as recommended by IBM's documentation. You may also need to set com.ibm.jsse2.overrideDefaultTLS=true.

OpenSSL

Compatible with the most recent version, regardless of operating system

OpenSSL 1.0.1 and higher

Compatible with TLS 1.1 or higher by default.

OpenSSL 1.0.0 and below

Not compatible with TLS 1.1 or higher encryption.

.NET

Compatible with the most recent version when running in an operating system that supports TLS 1.1 or TLS 1.2

.NET 4.6 and higher

Compatible with TLS 1.1 or higher by default.

.NET 4.5 to 4.5.2

.NET 4.5, 4.5.1, and 4.5.2 do not enable TLS 1.1 and TLS 1.2 by default. Two options exist to enable these, as described below.

Option 1:
.NET applications may directly enable TLS 1.1 and TLS 1.2 in their software code by setting System.Net.ServicePointManager. SecurityProtocol to enable SecurityProtocolType.Tls12 and SecurityProtocolType.Tls11. The following C# code is an example:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

Option 2:
It may be possible to enable TLS 1.2 by default without modifying the source code by setting the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ .NETFramework\ v4.0.30319" and "HKEY_LOCAL_MACHINE\ SOFTWARE\Wow6432Node\Microsoft \.NETFramework\ v4.0.30319". Although the version number in those registry keys is 4.0.30319, the .NET 4.5, 4.5.1, and 4.5.2 frameworks also use these values. Those registry keys, however, will enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. It is thus advisable to test this change before deploying it to your production servers. This is also available as a registry import file. These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value.

.NET 4.0

.NET 4.0 does not enable TLS 1.2 by default. To enable TLS 1.2 by default, it is possible to install .NET Framework 4.5, or a newer version, and set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ .NETFramework\ v4.0.30319" and "HKEY_LOCAL_MACHINE\ SOFTWARE\ Wow6432Node\Microsoft\ .NETFramework\ v4.0.30319". Those registry keys, however, may enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. We recommend testing this change before deploying it to your production servers. This is also available as a registry import file.

These registry values, however, will not affect .NET applications that set the System.Net.ServicePoint Manager.SecurityProtocol value.

.NET 3.5 and below

Not compatible with TLS 1.1 or higher encryption

 

 

What Should I Expect if My System is Unable to Support These Changes?

After November 1, 2017 (and September 25, 2017 for non-production test environments), if your system is unable to support these standards, you should expect the following:

For Browser Based Services:

When trying to access one of our sites through your web browser, an error message stating that your browser does not support the TLS 1.2 protocol, with information on how to resolve.

For System-to-System Integrations:

When trying to access one of our sites through a system-to-system integration, an HTTP Return Code of "426 Upgrade Required" will be returned your application, along with a response message stating that support of TLS 1.2 is required and information on how to resolve.