IBM Support

MaaS360 Product Suite TLS v1.2 Weak Cipher Suite Deprecation Notice

Flashes (Alerts)


Abstract

MaaS360 TLS v1.2 Weak Cipher Deprecation - (Platform Deprecation set for October 2021)

Content

What is TLS?

The primary goal of the TLS (Transportation Layer Security) protocol is to provide privacy and data integrity between two communicating applications. The protocol is composed of two layers: TLS Record Protocol and TLS Handshake Protocol.  At the lowest level, layered on top of some reliable transport protocol (e.g., TCP), is the TLS Record Protocol.  It is the most widely deployed security protocol used today.  It is used for web browsers and other applications that require data to be securely exchanged over a network or internet. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification. The versions of TLS available today are TLS 1.0, 1.1, 1.2, 1.3.  The MaaS360 platform supports only TLS 1.2. 

How this relates to the MaaS360 Product Suite

IBM MaaS360 will start deprecating support for TLS 1.2 weak Cipher and will disable encryption protocol across services.

Cipher Details

TLS 1.2 Ciphers currently supported by MaaS360
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA*
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA*
*Weak ciphers to be deprecated in Oct. 


MaaS360 continues to align with the PCI security standards and ensure highest security and safety of your data. The deprecation will have impact on all MaaS360 customers currently using TLS 1.2, and it is advised that you check if you're going to be affected. MaaS360 solution contains the platform, on-premise agents and mobile apps; each component will have a different path of upgrade and the below information will outline the areas where this deprecation will be affected.   After the deprecation occurs on the MaaS360 platform, any agent that has not been upgraded will no longer be able to connect and be managed by the platform. 

MaaS360 TLS Platform deprecation will occur on October 2021, exact date TBD.   Please review section below for details.  

Described below are the compatibilities across MaaS360 Apps, Agents, Web Services, and Web Browsers:

  • Android Apps, SDK and App Wrapping
  • iOS Apps, SDK and App Wrapping
  • macOS Agents
  • Cloud Extender and MEG Agents
  • Windows/WinPhoneApps and Agents
  • WebServices

Android Apps, SDK and App Wrapping

MaaS360 discontinues support for the devices running Android OS versions below 5.0 (Android L). 

MaaS360 Offering OS Version Impact Required Action

Android SDK

Android Wrapping

MaaS360 for Android Apps

Below 5.0 Android devices below OS 5.0 (L) will not be able to communicate with the MaaS360 portal after the TLS 1.2 weak ciphers are deprecated on the Portal. Android device below OS 5.0 will need to be upgraded to OS 5.0 or greater.  If device is unable to be upgraded, it will not be able to be managed by the MaaS360 Portal after the portal has deprecated the TLS 1.2 weak ciphers.  These devices should be replaced with a device that can be upgraded.

iOS Apps, SDK and App Wrapping

MaaS360 discontinues support for the devices running iOS OS versions below 9.0. 
MaaS360 Offering OS Version Impact Required Action

iOS SDK

iOS Wrapping

MaaS360 for iOS Apps

Below 9.0 iOS devices below OS9.0 will not be able to communicate with the MaaS360 portal after the TLS 1.2 weak ciphers are deprecated on the Portal. iOS device below OS 9.0 will need to be upgraded to OS 9.0 or greater.  If device is unable to be upgraded, it will not be able to be managed by the MaaS360 Portal after the portal has deprecated the TLS 1.2 weak ciphers.  These devices should be replaced with a device that can be upgraded.

macOS Agents

MaaS360 discontinues support for the devices running macOS versions below 10.11. 

MaaS360 Offering OS Version Impact Required Action

macOS

Below 10.11 macOS devices below OS 10.11 will not be able to communicate with the MaaS360 portal after the TLS 1.2 weak ciphers are deprecated on the Portal. macOS device below OS 10.11 will need to be upgraded to OS 10.11 or greater.  If device is unable to be upgraded, it will not be able to be managed by the MaaS360 Portal after the portal has deprecated the TLS 1.2 weak ciphers.  These devices should be replaced with a device that can be upgraded.

Cloud Extender and MEG Agents

No Action required. The Cloud Extender(CE) and Mobile Enterprise Gateway (MEG) services are comprised of two components: the core agent and modules.  Neither the core agent or modules are impacted. 

Windows/DTM Apps and Agents

No Action required. The Windows and DTM agents all work with no impact. 

Web Services

For those customers using WebServices/API's on the MaaS360 Platform, the API client used on the Customer side may require adjustments or upgrades. Please check with your client's documentation on how to upgrade to TLS 1.2 support.

Steps to check for API compatibility

  1. Set up an API client in a test environment. This could be any software or library that you are using to integrate to MaaS360 or any custom integration code that you have written. The examples cited in this write up uses python as a client language. This could be Java or any other language in your environment.
  2. A web service client usually makes GET and POST requests to servers.
  3. Using your client test environment, make a GET request to the following URL https://tlstest.maas360.com/.
  4. Your version of client library should be able to make a successful GET request to the URL above and receive a result of "0". This response means that underlying TLS v1.2 with ciphers deprecated connection is successful.
  5. If you get anything other than "0" in the result, it would indicate that the client you have could not make a successful connection to our servers which has TLS v1.2 with ciphers deprecated. You need to upgrade your client library which supports TLS v1.2 ciphers  and run the same test to confirm you are getting a result of "0". 

An example of doing this in a python script is as follows:
  import requests
  url = "https://tlstest.maas360.com/"
  data = requests.get(url)._content
  assert data == "0"

If you are using python for consuming MaaS360 web services then, run this code to see if your client connects to a URL that has TLS v1.2 with ciphers deprecated.

Note: If you are using a different programming language, you can write similar code in that environment language and verify using the test URL if the client works with the URL that has TLS v1.2 with ciphers deprecated.

[{"Type":"none","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSYSXX","label":"IBM MaaS360"},"ARM Category":[{"code":"a8m0z0000000712AAA","label":"INTEGRATIONS"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
12 May 2021

UID

ibm16439547