The SaaS applications like Salesforce, Zuora and Stripe announced that they would begin to disable the TLS 1.0/TLS 1.1 encryption protocols in a phased approach.
If you use Java 7, when using the Salesforce Connector with WSO2 ESB you may receive the following error when trying to connect to Salesforce API.
<?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sf="urn:fault.partner.soap.sforce.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Body> <soapenv:Fault> <faultcode>sf:UNSUPPORTED_CLIENT</faultcode> <faultstring>UNSUPPORTED_CLIENT: TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https.</faultstring> <detail> <sf:UnexpectedErrorFault xsi:type="sf:UnexpectedErrorFault"> <sf:exceptionCode>UNSUPPORTED_CLIENT</sf:exceptionCode> <sf:exceptionMessage>TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https.</sf:exceptionMessage> <sf:upgradeURL>https://cs27.salesforce.com/secur/weakhttps.jsp?l=1</sf:upgradeURL> <sf:upgradeMessage>Stronger security is required</sf:upgradeMessage> </sf:UnexpectedErrorFault> </detail> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope>
You are getting this error because TLS v1.0 is enabled by default in Java 7. Let's see how to configure WSO2 ESB to TLSv1.1/ 1.2 being used by the Salesforce Connector.
Open the <ESB_HOME>/repository/conf/axis2/axis2.xml and add the <parameter name="HttpsProtocols">TLSv1.1,TLSv1.2</parameter>entry inside the PassThroughHttpSSLListener and PassThroughHttpSSLSender elements.
To make sure that the configurations are all set correctly, build the TestSSLServer.jar from GitHub and run it.
e.g.:
For Java 8 TLSv1.2 is the default, so if you use Java 8, you don't need to configure the above parameter.
<transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener"> ..... <parameter name="HttpsProtocols">TLSv1.1,TLSv1.2</parameter> ..... </transportReceiver>
<transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender"> ..... <parameter name="HttpsProtocols">TLSv1.1,TLSv1.2</parameter> ..... </transportSender>
To make sure that the configurations are all set correctly, build the TestSSLServer.jar from GitHub and run it.
$ java -jar TestSSLServer.jar <server_name_or_ip> <port>
e.g.:
$ java -jar TestSSLServer.jar localhost 8243
For Java 8 TLSv1.2 is the default, so if you use Java 8, you don't need to configure the above parameter.
References
- https://docs.wso2.com/display/ESB490/Configuring+Transport+Level+Security
- https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https
- https://help.salesforce.com/apex/HTViewSolution?id=000221207
- http://community.zuora.com/t5/Zuora-Announcements/Action-Required-Zuora-is-Disabling-TLS-1-0/ba-p/2177
- https://stripe.com/blog/upgrading-tls
- https://blogs.oracle.com/java-platform-group/entry/java_8_will_use_tls
- http://www.bolet.org/TestSSLServer/
Thank you for sharing such an informative article. I really hope I can see other interesting posts. Keep up the good work!
ReplyDeleteMobile App developer