Happy Business Starts Here

[Action Required by Zuora Partner Implementors] Zuora is Disabling TLS 1.0

Zuora Staff

This message is directed at partner implementors of the Zuora application.

If you are a customer of Zuora and use integration partners, please check with your partner implementor to ensure that they are prepared for this change. All Zuora product integrations have been reviewed and will not be affected.

 

What is this change?

At Zuora, our customers trust is our #1 value, and we take the protection of our customers' data very seriously. To maintain the highest security standards and promote the protection of your data, we occasionally need to make security improvements and deprecate older encryption protocols. To maintain alignment with industry standard best practices and comply with PCI DSS requirements, Zuora will disable the use of TLS 1.0 for inbound connections to Zuora as well outbound callouts from Zuora.

 

What will this change affect?

This change will affect all API traffic to both API Sandbox and Production. This change will also affect all callouts from Zuora Production and API Sandbox environments to partner integrations.

 

When will this change take place?

We will take a phased approached to disabling TLS 1.0 for both inbound and outbound API calls to allow partners ample time to test and ensure your preparation.

Phase 1 - APISandbox

On November 4th 2015, we will enable TLS 1.1 or higher on API Sandbox as the preferred protocol while still allowing TLS 1.0 connections. Partners should test TLS 1.1 connections at this time to confirm their systems can negotiate TLS 1.1 or higher.

Phase 2 - APISandbox

On January 6th 2016, we will enforce TLS 1.1 or higher protocols only and disable TLS 1.0 connections for API Sandbox.

Phase 3 - Production

On November 18th 2015, we will enable TLS 1.1 or higher on Production as the preferred protocol while still allowing TLS 1.0 connections. Partners should test TLS 1.1 connections at this time to confirm their systems can negotiate TLS 1.1 or higher.

Phase 4 - Production

On March 1st  2016, we will enforce TLS 1.1 or higher protocols only and disable TLS 1.0 connections for Production.

 

How do I prepare for this change?

Testing should be done in the API Sandbox environment after November 4th, but before January 6th when Phase 2 is implemented.

Testing should be done in Production environment after November 18th, but before March 1st when Phase 4 is implemented.

Integrations using Java will need to use Java 8 which supports TLS 1.1/1.2 by default. See here for more details.  

Integrations that run on Windows will need to run on Windows Server 2008 R2 or higher. This generally includes most .NET applications and Microsoft Internet Information Server (IIS). Earlier versions of Windows Server do not support TLS 1.1 or TLS 1.2. See here for details.

Integrations which rely on OpenSSL should ensure they are using OpenSSL version 1.01 or newer. See here for changelogs.

 

What happens if I take no action?

If you take no action, your systems may be unable to connect to the Zuora Production or API Sandbox environments after this change is implemented. Please follow up with your local IT team to ensure you take the appropriate actions.

Please post any questions to this thread. Thanks!