Happy Business Starts Here

[Action Required] Zuora is Disabling TLS 1.1

Zuora Staff

What is this change?  

At Zuora, our customers trust is our #1 value, and we take the protection of our customers' data very seriously. To maintain the highest security standards and promote the protection of your data, we occasionally need to make security improvements and deprecate older encryption protocols. To maintain alignment with industry standard best practices and comply with PCI DSS requirements, Zuora will disable the use of TLS 1.1 for inbound connections to Zuora as well outbound callouts from Zuora.

 

What will this change affect? 

This change could affect all incoming web browser based traffic as well as API traffic to both API Sandbox and Production in all Zuora data-centers. 

 
Why Is TLS 1.2 important?

Due to increased computing power and discovered weaknesses found in TLS v1.0 and v1.1, many websites and internet services now require the use of TLS v1.2. The latest PCI compliance standards strongly encourage that any site accepting credit card payments use TLS v1.2.

Moving to TLS v1.2 will improve the security of the data sent between you and Zuora

When will this change take place? 

We will take a phased approach to disabling TLS 1.1 for both inbound and outbound API calls to allow customers ample time to test and ensure your preparation.

 

Phase 1 - Zuora Billing API Sandbox and all NON production Zuora Billing environments

On Monday October 26, 2020 from 8 AM PST - 1 PM PST, we will begin to enforce TLS 1.2 protocol only and disable TLS 1.1 connections

 

Phase 2 - Zuora Billing - All Production environments

On Saturday November 14 2020 from 4 PM PST - 9 PM PST, we will begin to enforce TLS 1.2 protocol only and disable TLS 1.1 connections.  Timing is aligned with our previously announced Q4 maintenance announcement [link].  Additional timing details on this maintenance will also be provided in a separate post linked to this article


Inbound Preparation (API Test endpoints) 

For Inbound API testing, using the following endpoints listed below based on your need to test TLS 1.2 connections to your API Sandbox environment:

 

Here are the test endpoints for validating support of TLS 1.2 - To clarify, these endpoints are for API Sandbox only for all data-centers and currently support TLS 1.2.  A successful connection to these endpoints confirms your integration should not be impacted when we deprecate TLS 1.1

US Hosted API Sandbox
SOAP: https://tls12-apisandbox.zuora.com/
REST: https://tls12-rest.apisandbox.zuora.com/


US Cloud API Sandbox 
REST: https://tls12-rest.sandbox.na.zuora.com

EU Cloud API Sandbox
REST: https://tls12-rest.sandbox.eu.zuora.com



What do I need to do? 

Please work with your local IT, Security, and Engineering teams, or whomever supports and maintains your Zuora API integration to validate your APIs can successfully negotiate a TLS 1.2 SSL connection.   The good news is that following the TLS 1.0 depreciation several years back, most modern API platforms should support the latest available SSL protocols, which include TLS 1.2, however each customer needs to validate and verify accordingly. 


What happens if I take no action? 

Failure to make any necessary changes before November 14, 2020 to support TLS 1.2 may result in a potential disruption of Zuora services for your integration.

Customers are advised to immediately perform the necessary validating steps or changes to ensure support for protocol versions  TLS 1.2.   If you have made the necessary changes, no further action is required on your part.

 

Zuora Global Support is readily available to answer any additional questions you may have.   Please contact Zuora Billing Support at support@zuora.com, or by our Customer Support Portal  

 

 





1 Comment
Zuora Staff

Here are the test endpoints for validating support of TLS 1.2 (also added to the original article above).

To clarify, these endpoints are for API Sandbox only for all data-centers and currently support TLS 1.2.  A successful connection to these endpoints confirms your integration should not be impacted when we deprecate TLS 1.1.  Existing SSL Certificates for API Sandbox Environments should work for these test endpoints if required on your integration.  


US Hosted API Sandbox

SOAP: https://tls12-apisandbox.zuora.com/
REST: https://tls12-rest.apisandbox.zuora.com/


US Cloud API Sandbox

REST: https://tls12-rest.sandbox.na.zuora.com


EU Cloud API Sandbox

REST: https://tls12-rest.sandbox.eu.zuora.com