Disabling weak TLS protocols

How to configure Atomia applications (version older than 21.5.*) to use TLS 1.2.

Overview

You may need to disable SSL3, TLS 1.0, TLS 1.1 and use only newer versions of the protocol as TLS 1.2. If you want to disable older protocols and use only TLS 1.2, you will need to:

Install a .NET framework patch
Configure Atomia applications to use TLS 1.2
Make sure your database supports TLS 1.2

Important!

If you have Atomia applications with version 21.5.* or later then this article is not for you. The configuration explained here is part of official release starting from version 21.5.

Updating .NET framework

If you do not update servers regularly, you will need to install the patch that adds support for TLS 1.2 to the .NET framework. For example, you can install one of the next two updates:

2017-09 Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 on Windows 8.1 and Server 2012 R2 for x64
2017-11 Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 on Windows 8.1 and Server 2012 R2 for x64

Configuring Atomia

You need to change the configuration of Atomia applications and insert the next three flags to enable TLS 1.2:

Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols=false,
Switch.System.ServiceModel.DontEnableSystemDefaultTlsVersions=false and
Switch.System.Net.DontEnableSchUseStrongCrypto=false.

You can do it by downloading and applying the next transformation files:

Billing API:
C:Program Files (x86)AtomiaBillingAPIsAccountApiTransformation FilesWeb.config.ConfigurableTls.config

C:Program Files (x86)AtomiaBillingAPIsBillingApiTransformation FilesWeb.config.ConfigurableTls.config

C:Program Files (x86)AtomiaBillingAPIsOrderApiTransformation FilesWeb.config.ConfigurableTls.config

C:Program Files (x86)AtomiaBillingAPIsTickerServiceTransformation FilesAtomia.Billing.Services.TickerService.exe.config.ConfigurableTls.config

Identity:
C:Program Files (x86)AtomiaIdentitySTSTransformation FilesWeb.config.ConfigurableTls.config

C:Program Files (x86)AtomiaIdentityUserAPITransformation FilesWeb.config.ConfigurableTls.config

GUI applications:
C:Program Files (x86)AtomiaStoreTransformation FilesWeb.config.ConfigurableTls.config

C:Program Files (x86)AtomiaAdminPanelTransformation FilesWeb.config.ConfigurableTls.config

C:Program Files (x86)AtomiaBillingCustomerPanelTransformation FilesWeb.config.ConfigurableTls.config

C:Program Files (x86)AtomiaHostingControlPanelTransformation FilesWeb.config.ConfigurableTls.Insert.config

Automation server:
C:Program Files (x86)AtomiaAutomationServerWebTransformation FilesWeb.config.ConfigurableTls.config

C:Program Files (x86)AtomiaAutomationServerClientTransformation FilesAutomationServerClient.exe.config.ConfigurableTls.config

C:Program Files (x86)AtomiaAutomationServerAutomationServerEngineTransformation FilesAtomia.Provisioning.MessageQueueListener.exe.config.ConfigurableTls.config

Keep in mind

Please use the transformation files listed above as they are only if you have latest Atomia version installed. You may need to adapt them a little for older Atomia versions or if you have some custom settings.

Updating database

If you are using the Microsoft SQL Server, make sure that you have a version that supports TLS 1.2. If the SQL server does not support TLS 1.2, you will need to install a patch/update for TLS. You can find more information on the link.

FAQ