Symantec Access Management

  • 1.  CA SPS support for TLS 1.2

    Posted Oct 05, 2016 10:38 AM

    My understanding is SPS (12.52 SP1 CRxx) as a server (Apache) can support TLS 1.2 and TLS 1.2. But, SPS as a client  (TomCat), cannot currently request a TLSv1.1 or TLS 1.2 connection to the back-end server. Is that correct ? CA has road map on when SPS can fully support TLS 1.2 ?



  • 2.  Re: CA SPS support for TLS 1.2
    Best Answer

    Posted Oct 05, 2016 05:16 PM

    http://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec1873991.html


    For browser to SPS Apache connection: TLS 1.1 and TLS 1.2 support is included in SPS R12.52 SP1 CR02 and higher.

    For SPS Server (Tomcat) to Backend Application Server connection: TLS 1.1 and TLS 1.2 support is included in SPS 12.52 SP1 CR04 and higher.



  • 3.  Re: CA SPS support for TLS 1.2

    Posted Oct 06, 2016 03:15 PM

    Thanks, Ujwol. What is the latest SPS version available ? SPS version 12.52 SP2 CR01 available like policy server ?



  • 4.  Re: CA SPS support for TLS 1.2

    Posted Oct 06, 2016 04:40 PM

    12.52SP1CR5

    12.52SP2CR1

    12.6 (soon to be released)


    However, you cannot assume that SP(X+1) will include all the fixes from SP(X)

    Each are on their own code branch.


    So, 12.52SP2CR1 even if released after 12.52SP1CR5 might not have all the fixes included in CR5.



  • 5.  Re: CA SPS support for TLS 1.2

    Posted Oct 07, 2016 12:31 PM

    Thanks, Ujwol.If 12.52SP2CR1 doesn't have all fixes included in 12.52SP1CR5, how can we choose the version that has all the fixes included ? 12.52SP2CR1 has full support (browser -> SPS and SPS -> backend server) for TLS 1.2.

     

    We are deploying SPS on new servers and would like to go with latest SPS version that has all fixes and enhancements, which version (12.52SP2CR1 or 12.52SP1CR5)  would you recommend ?



  • 6.  Re: CA SPS support for TLS 1.2

    Posted Oct 07, 2016 02:20 PM
    Unfortuantely, no version can be defect free.

    It will get more stable once the product matures but there will still be defects.


    I will suggest to review the fixes and enhancement included in individual CR (available in the docops) to make this consideration.


    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr06


    https://docops.ca.com/ca-single-sign-on/12-52-sp2/en/release-notes/cumulative-releases


    (It seems on 12.52SP1 we now have CR6 as well)



     




  • 7.  Re: CA SPS support for TLS 1.2

    Posted Oct 07, 2016 02:25 PM

    I think for this particular case our choice is simple as we do not seem to have SPS availabilty for 12.52SP2/12.52SP2CR1. Only policy server is released.


    So my suggestion would be to go with 12.52SP1CR6 for SPS



  • 8.  Re: CA SPS support for TLS 1.2

    Posted Oct 07, 2016 03:13 PM

    Alright, we will go with SPS version 12.52SP1CR6 as 12.52 SP2 is still not available. Thanks for your reply.



  • 9.  Re: CA SPS support for TLS 1.2

    Posted Oct 07, 2016 03:21 PM

    Please mark this thread as answered.



  • 10.  Re: CA SPS support for TLS 1.2

    Posted Oct 07, 2016 03:47 PM

    Sorry, how I do mark the thread as answered ?



  • 11.  Re: CA SPS support for TLS 1.2

    Posted Oct 09, 2016 06:23 PM

    Oh, this was set as "Discussion" previously so you didnt' have the option to mark correct answer.

    I have changed this to Question now you should be seeing the option to mark correct answer.

     

    Cheers,

    Ujwol