Topics on this page
Use TLS 1.2 with Workload Security
Topics on this page:
Figure 1 shows the TLS communication in a Workload Security environment. You can see that 10.0 or higher agents communicate with Workload Security over TLS 1.2, while 9.6 versions communicate over early TLS. Similarly, newer third-party applications use TLS 1.2, while older ones use early TLS.
Figure 1: TLS communication in a Workload Security environment:
Enable the TLS 1.2 architecture
To enable TLS 1.2 in your Workload Security environment, you may need to upgrade your agents and relays. Follow these guidelines:
- If you have 9.6 agents in your environment, you must upgrade them to 10.0 or later. Only 10.0 or later agents support TLS 1.2.
- If you have 9.6 relays in your environment, you must upgrade them to 10.0 or later. Only 10.0 or later relays support TLS 1.2.
First, upgrade your agents:
- See Upgrade the agent.
Next, upgrade your relays:
- See Upgrade a relay.
Next steps (deploy new agents and relays)
After setting up your TLS 1.2 environment, if you decide to Use a deployment script (among other methods) to deploy new agents and relays, adhere to the guidelines below.
Guidelines for using deployment scripts
- If you are deploying an agent or relay onto Windows computers, use PowerShell 4.0 or higher, which uses TLS 1.2 to communicate with the manager or relay to obtain agent software and install it.
- If you are deploying an agent or relay onto Linux, use curl 7.34.0 or higher. This version uses TLS 1.2 to communicate with the manager or relay to obtain agent software and install it.
- If you are deploying onto Red Hat Enterprise Linux 6 which uses curl 7.19 by default, upgrade to curl 7.34.0 or later. If you can't upgrade curl, see the next step for a workaround.
- If you are deploying onto Windows XP, 2003, or 2008, where PowerShell 4.0 is not supported, remove these lines:
#requires -version 4.0
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;