|Agent Mode||Assess & Protect|
|Main Product Category||All Contrast Agents|
In accordance with industry best practices, the Contrast SaaS instances will soon be dropping support for older, less secure protocols and setting the supported minimum TLS version to version 1.2 with an accompanying limit in the available cipher suites, as detailed in the TLSv1.2_2019 Security Policy documented here.
How will limiting the TLS and Cipher Suites available affect connectivity between Contrast Agents and the Contrast UI?
TLS Support varies by agent language and Operating System/Environment as detailed below:
For the Legacy .NET Framework Agent support for TLSv1.2 is enabled with no action required by the user except in the case where the agent is installed on a Windows 2008 or 2012 system where the installed .NET Framework version is 4.5.1 or 4.5.2. In the latter case, the following configuration option should be added to the
contrast_security.yaml file on the system:
Support for TLSv1.2 is enabled in Java versions 8 and above by default (with the caveats noted below for the IBM JRE when used with WebSphere) so no action is required by the user provided TLSv1.2 is supported by the platform.
For older versions of Java and some special cases, see the following:
|JVM||Notes||Action Required by User|
|Java 6||TLSv1.2 is not supported on this version of Java||A Java upgrade is required in this case to maintain connectivity. Please see the Note below for a workaround.|
|Oracle Java 7||TLSv1.2 is not supported in Java 7 versions prior to u95||
An upgrade to at least Oracle Java 7 u95 is required (a paid option).
|OpenJDK 7||TLSv1.2 is supported and enabled by default in versions 1.7.0_141 and later.||
This is an option for users unable to upgrade to Oracle Java 7 u95. A free download is available here.
IBM JRE 7/8 with WebSphere
|TLSv1.2 is supported but a JVM option needs to be set in older Java versions to maintain full compatibility when used with WebSphere 8.5/9||In older IBM Java versions 7 (prior to SR4 FP80 20210122) or 8 (prior to 1.8.0_281 SR6 FP5 20210115) the following WebSphere JVM option needs to be set:
|IBM JRE 7/8 with SuiteB Enabled||SuiteB is enabled by setting the JVM Option
||TLSv1.2 compatibility is not possible with this combination. Please see the Note below for a workaround.|
To configure the agent to use a Proxy, see the documentation here.
The Node.js agent configuration allows for using the Contrast Service to perform communication with the Contrast Server, or can be configured to communicate directly. In the former case - see Ruby, Python and Go, below - and in the latter, the Node.js agent supports TLSv1.2 with no action required by the user.
Ruby, Python and Go
The Ruby, Python and Go agents all communicate with the Contrast Server via an independent service (the Contrast Service) which is itself implemented in Go. For these agents, no action is required to enable TLSv1.2 support as it is already in place in the Contrast Service