Why should customers upgrade to a newer version of the TLS protocol?
Oracle Service Cloud (OSvC)
All Supported versions
Support for TLS protocol version 1.0 was disabled in the Oracle Service Cloud production environments on the following dates:
- PCI Environment: updated on January 31st, 2017 (~11 PM Central).
- Non PCI Environment: updated June 20th to Oct. 11th, 2017
After those dates, attempting to use the legacy TLS 1.0 protocol in client configurations will result in a service disruption. Oracle strongly recommends that Oracle Service Cloud customers assess their use of TLS version 1.0 and discontinue its use as soon as possible, particularly in browsers accessing Oracle Service Cloud production environments. Moreover, systems using Oracle Service Cloud APIs or SDKs must be configured to support TLS protocol v1.1 or later to maintain connectivity after the aforementioned deadlines. Oracle recommends that TLS v1.2 be used.
- Support for TLS 1.1 and 1.2 started with the February 2014 Oracle Service Cloud release. Customers running versions of Oracle Service Cloud (OSvC) prior to the February 2014 version are running unsupported and those versions will not function after TLS 1.0 is disabled.
- Customers should take additional steps to ensure that TLS v1.0 remains disabled, and TLS v1.1 or later is enabled in the browsers and configurations used by their systems. For example, users of unsupported web browsers should upgrade to more recent and actively-supported web browsers. As of January 12, 2016 the Service Cloud console will only be supported in conjunction with Internet Explorer 11 or above.
For details, see Answer ID 8006: Support has ended with Internet Explorer 8, 9, and 10.
Also, custom client applications and third party middleware should be modified to negotiate at least TLS v1.1.
- All user workstations must be upgraded to Microsoft .NET version 4.5.2*. In addition, Oracle recommends that addins should be recompiled against Microsoft .NET version 4.5.2*. or the version of Microsoft .NET that is running on the user workstations.
*Please note that a fault exists with the Microsoft's ClickOnce application where it does not automatically detect the TLS protocol that is required at runtime. This can result in OSvC failing to start due to the Microsoft ClickOnce application failure when using Microsoft .NET version 4.5.2. For further details regarding this fault see Error while logging in: "Could not Start Application" right after TLS 1.0 was turned off.
Currently supported releases of the Service Cloud Application are fully compatible with, and will communicate via TLS 1.2 protocols. Customers are strongly urged to fully test their environment and their OSvC deployment within their environment prior to TLS 1.0 abandonment.
Oracle Service Cloud Technical Support is not responsible for any issues, including site downs resulting from TLS 1.0 abandonment. Please ensure that you have tested fully within your environment.
- End users who visit our Customer Portal pages using a browser with "only" TLS 1.0 enabled will likely experience errors. It is highly recommended that you proactively notify your own customers about the TLS 1.0 deprecation process, so that they have a chance to update their browser settings with TLS 1.1 and 1.2 enabled. Older browser versions that do not support TLS 1.1 and TLS 1.2, need to be upgraded.
For instructions on how to do so, they should see the documentation for their particular browser. For some helpful hints on how to notify your customers, please see the 'TLS 1.0 Announcement - Informing Your End Users' community post.
Again, Oracle recommends customers opt for solely using TLS version 1.2. To prepare for this transition, Oracle strongly recommends customers to first disable these protocols in their TEST environments to prepare for the required changes in production environments.
Oracle has mandated that all use of TLS 1.0 be abandoned. In addition to the NIST recommendation below, the Payment Card Industry Security Standards Council (PCI SSC) has mandated all organizations to migrate away from TLS 1.0 to a minimum of TLS1.1, preferably TLS 1.2.
In order for Oracle Service Cloud customers to examine their site's TLS 1.0 usage, we have created a new tool: the TLS 1.0 Log Scanner. To use it, log in to https://cx.rightnow.com and navigate to MY SITE TOOLS. There you will see a link in the Additional Tools section to the new TLS 1.0 Log Scanner. The TLS 1.0 Log Scanner User Guide is also available from that link.
NOTE: For Policy Automation specific implications refer to
Answer ID 8934: How does the abandoning of TLS 1.0 impact Oracle Policy Automation?.