Community News

 View Only
Expand all | Collapse all

[Action Required] Zuora is Disabling TLS 1.0

  • 1.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 01-06-2016 16:05

    See updates in Red [06/03/16]

     

    What is this change?  

    At Zuora, our customers trust is our #1 value, and we take the protection of our customers' data very seriously. To maintain the highest security standards and promote the protection of your data, we occasionally need to make security improvements and deprecate older encryption protocols. To maintain alignment with industry standard best practices and comply with PCI DSS requirements, Zuora will disable the use of TLS 1.0 for inbound connections to Zuora as well outbound callouts from Zuora.

     

    What will this change affect? 

    This change will affect all incoming web browser based traffic as well as API traffic to both API Sandbox and Production. 

     

    When will this change take place? 

    We will take a phased approached to disabling TLS 1.0 for both inbound and outbound API calls to allow customers ample time to test and ensure your preparation.

     

    Phase 1 - APISandbox and Services Environment

    On February 4th 2016 from 7 AM PST - 11 AM PST, we will enforce TLS 1.1 or higher protocols only and disable TLS 1.0 connections for API Sandbox. 

     

    From March 17th-31st 2016 7AM PST - 11AM PST, we will enforce TLS 1.1 or higher protocols only and disable TLS 1.0 connections for Services. For the specific implementation date for your service tenant, please submit a ticket through our Support Center.

     

    Services Deployment Schedule

    3/17/2016 Services environments with suffix ranging from 101-266

    3/24/2016 Services environments with suffix ranging from 276-385

    3/31/2016 All other Services environments

     

    Phase 2 - Production [UPDATED 06/03/16]

    Zuora will disable TLS 1.0 for all inbound calls to production on October 13th, 2016. This change will impact all channels including SOAP APIs, REST APIs and browser based traffic (UI).
     

    How do I prepare for this change?  

    We have split up the preparation section to cover inbound calls to Zuora for browser based traffic as well as API based traffic. 

    Testing should be done prior to Feb 4th 2016 when we make the change in API Sandbox. 

     

    Inbound Preparation (API and Web Browsing) 

    For Inbound API testing, using the following endpoints listed below based on your need to test SOAP or REST APIs.

    TLS1 endpoints below have been decomissioned as of 2/4/16

    See the table below for common libraries and their compatibility with TLS 1.1 or higher. If the library you use is not listed here, please reach out to your software vendor for more information regarding support for TLS 1.1 or higher. 

     

    Library       

    TLS 1.1/1.2 Compatibility Notes

    Java 8 (1.8) and higher

    Compatible by default

    Java 7 (1.7)

    See Java documentation to enable TLS 1.1 and TLS 1.2

    Java 6 (1.6) and below

    Not compatible with TLS 1.1 or higher encryption

    .NET 4.5 and higher

    Compatible by default

    .NET 4.0

    TLS 1.2 not enabled by default. To enable TLS 1.2, it is possible to set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319".

    .NET 3.5 and below

    Not compatible with TLS 1.1 or higher encryption

    Python 2.7.9 and higher

    Compatible by default

    Python 2.7.8 and below

    Not compatible with TLS 1.1 or higher encryption

    Ruby 2.0.0

    TLS 1.2 is enabled by default when used with OpenSSL 1.0.1 or higher. Using the :TLSv1_2 (preferred) or :TLSv1_1 symbols with an SSLContext's ssl_version ensures TLS 1.0 or earlier is disabled

    Ruby 1.9.3 and below

    The :TLSv1_2 symbol does not exist in 1.9.3 and below. It can be patch to add that symbol and compile Ruby with OpenSSL 1.0.1 or higher

    Windows Server 2008 R2 and higher

    Compatible by default

    Windows Server 2008 and below

    Not compatible with TLS 1.1 or higher encryption

    OpenSSL 1.0.1 and higher

    Compatible by default

    OpenSSL 1.0.0 and below

    Not compatible with TLS 1.1 or higher encryption

    Mozilla NSS 3.15.1 and higher

    Compatible by default

    Mozilla NSS 3.14 to 3.15

    Compatible with TLS 1.1, but not with TLS 1.2

    Mozilla NS 3.13.6 and below

    Not compatible with TLS 1.1 or higher encryption

     

    Inbound Browser Preparation


    To test web browsing, first ensure your browser meets Zuoras Browser Support Policy found here

    Once you have confirmed you are using a supported browser and version, surf to  https://tls1.apisandbox.zuora.com/apps/newlogin.do and login to confirm you can access the environment. Below is table listing the version of supported browsers and their support for TLS 1.1 or higher.


    Browser

    Compatibility

    Desktop and mobile IE version 11

    Compatible by default

    Desktop IE versions 9 and 10

    Capable when run in Windows 7 or newer, but not by default

    Microsoft Edge

    Compatible by default

    Firefox 27 and higher

    Compatible by default

    Google Chrome 38 and higher

    Compatible by default

    Mobile Safari versions 5 and higher

    Compatible by default


    Outbound Preparation (API) 

    Integrations using Java will need to use Java 8 which supports TLS 1.1/1.2 by default. See here for more details.   

    Integrations that run on Windows will need to run on Windows Server 2008 R2 or higher. This generally includes most .NET applications and Microsoft Internet Information Server (IIS). Earlier versions of Windows Server do not support TLS 1.1 or TLS 1.2. See here for details. 

    Integrations which rely on OpenSSL should ensure they are using OpenSSL version 1.01 or newer. See here for changelogs.

     

    What happens if I take no action? 

    Customers are advised to immediately perform the necessary changes  to ensure support for protocol versions  TLS 1.1 or higher.. If you have made the necessary changes, no further action is required on your part.

     

    Failure to make the necessary changes before October, 13th, 2016 to support TLS 1.1 or higher will result in a disruption of Zuora services for your integration.


    Zuora Global Support is readily available to answer any additional questions you may have.   

    Please contact us at +1-650-779-4993 or at support@zuora.com.  

     

     


    #Announcement


  • 2.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 01-18-2016 18:21

    Frequently Asked Questions:

     

    Q. Do we have a Test Endpoint like Salesforce has https://tls1test.salesforce.com to validate TSLv1.1 and above compatibility before even switching Sandboxes?

    A. For Inbound API testing of TLS 1.1 or higher use the following endpoints listed below based on your need to test SOAP or REST APIs.

    SOAP API Interface: https://tls1.apisandbox.zuora.com/apps/services/a/68.0
    REST API Interface: https://tls1.apisandbox.zuora.com/rest/v1/

     

    Q: How do I verify if my browser support TLS 1.1 and above

    A: User could always verify SSL/TLS protocol versions you browser supports by accessing the site https://www.ssllabs.com/ssltest/viewMyClient.html using browser you intend to confirm. Look for Your user agent has good protocol support or specific version support under Protocol Features section.

     


    Q: How does this affect Salesforce (or other integrations - Avalara, Netsuite, Payment gateways, etc) - do we need to contact anyone or take action elsewhere?

    A: Tenants do not need to contact any third parties who are integrated with Zuora. We are in contact with all third parties to ensure coordination for this change to avoid any disruptions to service.


    Q: Do we need to restart our application after this change?

     

    A: The change itself on Zuora's end is an online, non-disruptive change. However some applications and SSL implementation are known to cache SSL attributes for longer duration. Thus in case any prior connection established using TLS 1.0 before this version is disabled, might require an application restart to initiate new connections on TLS 1.1 or above. Again, this is not typical or usual behaviour and depends upon SSL Client implementation.



  • 3.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 01-25-2016 10:07
    Salesforce has pushed out disabling TLS1.0, is Zuora still going to follow above published schedule?


  • 4.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 01-26-2016 00:32

     Hello Shalabh, 

     

    We plan to continue disabling TLS 1.0 as per plan. Since Salesforce do support TLS 1.1 and higher for all callouts of Salesforce we should be OK with any such dependent integration. We will keep you posted in case any change in execution plan. 

     

    Thank you

    Bibek



  • 5.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 01-29-2016 11:40

    Hi Bibek, 

     

    We are using Oracle SOA suite 11g for Zuora Integeration.  Currently oracle is facing major bug which is casuing hand shake failure for TLS1.1 and Above. They are looking into this with High priority but not any timeline has specified. I assume, this would affect most of your customer base as well. We would appreciate if zuora team decide to defer execution plan same like Salesforce. 

     

    Thanks,



  • 6.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 01-29-2016 11:53

    Hello @sapatel

     

    Thank you for bringing this to our attention. Our Security Team will definitely look into the details of this Oracle bug you've mentioned and will let you know their thoughts.



  • 7.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 01-29-2016 12:36

     

    Hello @sapatel

     

    Thank you for bringing this to our attention. It would be great if you could provide Oracle bug# for us to track and get more details. Also, does this bug currently impact your integration with Sandbox or Production or both ? Also, we reccomend checking with Oracle if there is a workaround to support TLS 1.1 and above while permanent bugfix is released.

     

    Thanks

    Bibek



  • 8.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 01-29-2016 13:12

    Hi Bibek, 

     

    Here is Oracel Bug # 22606743. We have found that and raised to Oracle. Oracle has accepted that and their Development currently working on  it. 

    This bug will impact both Sandbox & Production instance as Zuora move forward with disabling TLS1.0. 

     

    No Workaround in place at the moment. 

     

    Thanks,
    Sagar.



  • 9.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 01-29-2016 13:18

    One more Sales Force related bug for your referece.. Oracle Bug # 22575721. 

     

    Thanks

    Sagar. 



  • 10.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 02-02-2016 17:01

     Hi folks

     

    Just a general reminder - The API Sandbox Test endpoint (tls1.apisandbox.zuora.com) will not be available after 2/4 change.  Thanks



  • 11.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 02-03-2016 11:10

    I am using the AQuA API to get data.  Are these endpoints affected by TLS 1.1?

     

    POST https://www.zuora.com/apps/api/batch-query/

    POST https://apisandbox.zuora.com/apps/api/batch-query/



  • 12.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 02-03-2016 12:24

    @kgarosshen

     

    Thank you for bringing this up.  Yes, to conform the changes described above also apply to the AQuA API



  • 13.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 02-03-2016 18:03

    additional information...

     

     

    Due to security incompatibility on the side of the Apigee Dev Console tool when we disable TLS 1.0 for API Sandbox on February 4, 2016, please cease the use of the Apigee Developer Console tool. We are also working to update the Knowledge Center article to remove links to the tool. There are many alternatives that work well and do not have security issues. Two alternatives are the Chrome plugins linked below:

     



  • 14.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 02-04-2016 12:15

    All

     

    The phase 1 deployment has begun

     

    Phase 1 - APISandbox 

    On February 4th 2016 from 7 AM PST - 11 AM PST, we will enforce TLS 1.1 or higher protocols only and disable TLS 1.0 connections for API Sandbox.

     

     

    As outlined above, this deployment will take approximately 2 hours to propogate through the Akamai network



  • 15.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 02-04-2016 13:51

    Hi there! 

     

    Can you please advise of the schedule for disabling TLS 1.0 in Services Sandboxes?  

     

    Thanks!

     

    Steph

     



  • 16.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 02-04-2016 13:52

    All,

     

    This change will also impact Performance Test environment (Endpoint: pt1.zuora.com). TLS 1.0 will not be supported in PT1 environment as of today once the change takes effect.

     

    Please feel free to reach out to us in case you have any question.

     

    Thanks
    Bibek



  • 17.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 02-04-2016 14:43

    Hi folks

     

    We can confirm the API Sandbox TLS 1.0 disablement has been completed.  



  • 18.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 02-04-2016 17:58

    The https://tls1.apisandbox.zuora.com/apps/api/batch-query/

    is not found when trying to hit the url.  A server not found message appears.  Is the server available?

     

     



  • 19.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 02-04-2016 18:28

    nevermind - I see the URL has changed, and now doesn't resolve...



  • 20.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 02-04-2016 18:42

    @kgarosshen - tls1.apisandbox.zuora.com endpoint was removed as outlined above posts

     

     



  • 21.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 02-04-2016 19:18

    @kshenk

    Not enough context to respond to this or tell what the issue is.  

    What version of curl are you using as some earlier versions require an update to support TLS 1.1+



  • 22.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 02-04-2016 19:37

    @scottb

    Thanks, we believe we've gotten to the bottom of this.



  • 23.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 02-07-2016 20:24

    Greetings

     

    We've heard from a few customers implementing *.NET 4.5 code that noted they had to force *.Net to use TLS 1.2 which worked to resolve the issue.  Please refer to your *.NET documention for the changes necessary.   We would welcome any comments from other *.NET administrators on their experience with this change.

     

    Best, 

     

    Scott Blashek

    Sr. Application Support Engineer

    Zuora, Inc.



  • 24.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 02-08-2016 11:20

    In .net client to enable TLS1.x programatically:

     

    // Default Protocols are Ssl3 | Tls. This is changed to support Zuora's TLS 1.1 rollout
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

     

    OR with a registry hack (source http://stackoverflow.com/questions/28286086/default-securityprotocol-in-net-4-5/28502562#28502562

     

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
    "SchUseStrongCrypto"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
    "SchUseStrongCrypto"=dword:00000001


  • 25.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 02-16-2016 14:22

    I tried the programmatic solution posted by @zoltanmike in my code. It's working in my dev API, which I have pointing at the sandbox.



  • 26.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 03-07-2016 03:43

    Hi , We are using AQuA API to connect to Zuora end points below.

     

    https://www.zuora.com/apps/api/batch-query/

    https://apisandbox.zuora.com/apps/api/batch-query/

     

    We missed to test this change before it went live in the API Sandbox. 

     

    Now, when we try to connect to https://apisandbox.zuora.com/apps/api/batch-query/ we are getting the following error.

     

    "Error in zuora data extraction process : EOF occurred in violation of protocol (_ssl.c:581)"

     

    We are not sure if this error is caused due to the change in TLS version and this is the first time we are trying to access API sandbox environment. 

     

    Any help in resolving this error would be much appreciated. Thanks!

     

     



  • 27.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 03-07-2016 13:23

    Hello @subashselvaraj

     

    Looking at the error it looks like you are using Python library to connect Zuora. It is difficult to say, but looking at the error, it does look like error is caused due to protocol version support. Please note that you would need Python 2.7.9 in order to support TLS 1.1 & above. Please upgrade Python version and see if that helps.


    Thanks



  • 28.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 03-07-2016 22:02

    Thanks for the response PERMALINK.

     

    We are indeed using python library to connect to Zuora. We are currently using python version 2.7.9 already. Do we need to upgrade to a higher version?

    Are there any configuration changes required while connecting to https://apisandbox.zuora.com/apps/api/batch-query/ which is different from the connection to https://www.zuora.com/apps/api/batch-query/?



  • 29.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 03-07-2016 23:11

    Hello @subashselvaraj

     

    Python 2.7.9 should support TLS 1.1 & above. However you need to ensure OpenSSL library also has supported compatible version - 1.0.1 I belive. 

     

    https://docs.python.org/2/library/ssl.html

     

    Screen Shot 2016-03-07 at 8.58.18 PM.png

     

    Thanks

    Bibek



  • 30.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 03-10-2016 09:18

    Hi,

     

    In our environment we created below two registry entry's successfully and i can see them in registry. But it is still taking SSLv3/TLS 1.0.

    Could you please help? Please find the environment details below.

     

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
    "SchUseStrongCrypto"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
    "SchUseStrongCrypto"=dword:00000001

    Environment details:

    Windows Server 2008 R2 Standard,Service pack 1

    64 bit

    .Net framework 4.0

     

    Thanks,

    Mahesh

     



  • 31.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 03-10-2016 19:48

    @mpepalla

    http://joymonscode.blogspot.com/2015/08/how-to-make-net-40-45-use-tls-12.html

     

    According to this article, NET 4.0 may also requires a change to ServicePointManager.SecurityProtocol in addition to the registry change

    ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;//SecurityProtocolType.Tls1.2;

     



  • 32.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 03-17-2016 07:39

    Thanks Scottb!

     

    I have gone through that blog .. Since it requires system.dll replace and code change we decided to upgrade our .net framework to 4.5 .

     

    Thanks,

    Mahesh



  • 33.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 03-24-2016 07:42

    If you're using the SoapUI client, here's how you can enable TLS1.1 (or 1.2 for that matter):

     

    - navigate to your SOAP install directory, and open the bin directory

    - locate your soapui.bat file (or soapui.sh, depending on your platform)

    - locate JAVA_OPTS

    - add the following line: 

        set JAVA_OPTS=%JAVA_OPTS% -Dsoapui.https.protocols="TLSv1.1,TLSv1.2"

    - Example, my bat file looks like this:

    soapui.JPG



  • 34.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 03-24-2016 18:05

    All,

     

    SSLv3 was just an example for syntax. Please do NOT add SSLv3. This is a legacy, unsecure protocol and Zuora does not support any version of SSL protocol any longer. You can add TLS 1.1 if you prefer to keep both though. 

     

    To add both TLS 1.1 and TLS 1.2 support you could use below Java prams. 

     

    -Dsoapui.https.protocols="TLSv1.1,TLSv1.2"



  • 35.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 04-05-2016 12:11

    Hello,

     

    Phase 2 - Production

    We are re-scheduling deprecation of TLS 1.0 for production environments, the new date will be updated here shortly.

     

    I assume you don't have a new date but i just want to confirm that it will not be on April 7th that was planned.  

     

    Thanks

    Chris



  • 36.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 04-05-2016 16:21

    @cmcbrayer Yes, that's correct that we don't have a new date.  We will announce the new date as soon as it's available.  

     

    Thanks for your patience!

     

    Lana

    Community Manager

    Zuora, Inc.



  • 37.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 04-06-2016 13:53

    Hi folks

     

    Just expanding on the Python requirements somewhat based on some additional feedback internally, here's what we understand to this point.

     

    Python 2.7.8 and before is not compatable with TLS 1.1+
    Python 2.7.9 is compatable (but requires patching and dependancy on OpenSSL version supporting appropriate TLS version)
    Python 3.2.4 is compatable by default

     

    I would encourage other Python users to share their experience with the recent TLS changes and what they had to do in support of TLS 1.1+



  • 38.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 04-10-2016 23:09

    Excuse me , I have a question, please give me some advice. Thank you!

    I used soap UI to test soap API login() method , but it was failed.

    I got some error like this,

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    • Mon Apr 11 10:34:26 GMT+09:00 2016:ERROR:javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    • javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    • at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    • at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    • ......
    • Caused by: java.io.EOFException: SSL peer shut down incorrectly
    • at sun.security.ssl.InputRecord.read(Unknown Source)

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    URL :https://apisandbox.zuora.com/apps/services/a/76.0

    I filled  <api:username> and <api:password> tags with my username and password,

    then launched.

    I tried some methods, but it not worked at all.

    please give me some advice .Thank you very much!



  • 39.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 04-11-2016 00:45

    Hi @ryurin , the handshake error is the result of the wrong protocol being used.

     

    Please see my previous comment on how to configure SoapUI for TLS1.1+ and how to start it using the new configuration - this is the very method I am using since we have deprecated the old TLS protocol on Sandbox:

     

    http://community.zuora.com/t5/Zuora-Announcements/Action-Required-Zuora-is-Disabling-TLS-1-0/bc-p/8155#M57



  • 40.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 04-11-2016 06:51

    Hi, @Viktor

    Thank you for your reply.

    I made the following changes

    SoapUI-5.2.1.vmoptions

    add this line

    -Dsoapui.https.protocols=TLSv1.2

    then it works very well, this problem has solved!

    Thank you very much!



  • 41.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 04-15-2016 09:58

    I just wanted to share that I tried pything 2.7.10 as well as 2.7.11 and neither uses TLS 1.1 by default. I build 2.7.11 with OpenSSL 1.0.1 and that allowed me to connect but this won't work for me in my produciton environment.



  • 42.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 04-27-2016 16:43

    I've updated the post with new information, please check the original post above.



  • 43.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 05-31-2016 11:01

    Phase 2 - Production [UPDATED 4/27/16]

    We expect to have an update to the timeline for deprecation in the next few weeks. We will provide at least 90 days notice prior to ending support for TLS 1.0 in production to ensure customers have sufficient time to update mission critical applications.

     

    Has a new date been decided? @monique



  • 44.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 05-31-2016 14:29

    Hello Nikki,

     

    We will have a new date next week. Once we have the new date, we will post this on the community. Thank you for your patience.



  • 45.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 06-03-2016 20:04

    I've updated the post with new information, please check the original post above.



  • 46.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 06-08-2016 20:31

    I am using .NET 4.0 client to connect to zuora soap client. First of all, TLS 1.2 does not work automatically from .NET 4.5. My local project started working when I upgraded to .NET 4.6. However, the behavior was really erratic.

    Our dev servers with .NET 4.0 required the SchUseStrongCrypto registry key for it to work. Same thing failed on Test servers though Finally had to install .Net 4.6 on all servers to get them to work. They still fail without the SchUseStrongCrypto registry key.

     

    We had another Web application running on IIS 7.5 and using .NET 4.6. This app failed even with the SchUseStrongCrypto registry key enabled. After lot of googling, came across the following solution:

     

                if (System.Net.ServicePointManager.SecurityProtocol == (SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls))
                    System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

     

    This is similar to Scottb's response to @mpepalla

    ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072; 

     



  • 47.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 09-30-2016 23:11

    Adding additional information for Python, thanks to Nathan for providing it.

     

    Python 2.7.9 and higher

    Compatible by default when used with OpenSSL 1.0.1 or higher

    Python 2.7.8 and below

    Not compatible with TLS 1.1 or higher encryption, using OpenSSL 1.0.1 or higher has been reported to make it work on some OS



  • 48.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 10-07-2016 03:29

    Hello

     

    I don't see what time you plan to cut the TLS 1.0 October 13
    Is it possible to indicate this info in your communications ?

     

    Eric



  • 49.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 10-07-2016 13:09

     Hi @LE04935_TCSConfirming the 10/13/2016 timing of the TLS 1.0 deprecation:

    7AM PST - 11AM PST



  • 50.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 10-13-2016 11:18

    For PHP, we recommend OpenSSL 1.0.1 or higher.



  • 51.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 10-17-2016 18:03

    A NOTE TO PYTHON DEVELOPERS

     

    All of the Zuora Python libraries I've seen, that use the SOAP API, are based on a single module: 'suds'. This module has been dead for almost 7 years and it relies on urllib2 but the suds developers never thought to build in a way for you to specify what SSL version you want to use.

     

     

    For example, in Python 2.7.9+, you can do something like:

     

    import sslimport urllib2
    
    context = ssl.SSLContext(ssl.ssl.PROTOCOL_SSLv23)
    urllib2.urlopen('https://example.com', context=context).close()

     

    Doing something like the above would require modification of the suds module which looks like is my only option until the REST API becomes useful.

     

    Python 2.7.8 and earlier is more complicated as you would have to ssl.wrap_socket() but I won't go into details there as you probably should have upgraded by now anyway.

     

    For more information on the SSL implimentation of Python, please visit https://docs.python.org/2/library/ssl.html#security-considerations

     

     

     



  • 52.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 11-10-2016 15:42

    I'm doing fine in python, using a module named zeep, and python 3.5.2.

     

    Here's my code:

     

    #!/usr/local/bin/python3
    
    import pdb
    import config
    import json
    import datetime
    import zeep
    import sys
    
    
    # Config file format:
    #     {
    #       "user":     "zuora_api_user@canonical.com.apisandbox",
    #       "password": "xxxxxxx",
    #       "wsdl":     "/Users/myself/.zuora/zuora.a.81.0.wsdl",
    #       "//endpoint": "https://apisandbox.zuora.com/apps/services/a/78.0",
    #       "verboseLog": false
    #     }
    
    
    class ZuoraSoap():
        def __init__(self, config):
            with open(config) as configfile:
                self.config = json.load(configfile)
    
                self.client = zeep.Client(wsdl=self.config['wsdl'])
                response = self.client.service.login(self.config['user'], self.config['password'])
                sessionid = response.Session
    
                sessionheader_cls = self.client.get_element('ns1:SessionHeader')
                self.sessionheader = sessionheader_cls(session=sessionid)
                
                self.batchSize = 2000
                self.caseSensitive = False
            
        def query(self, query):
            queryoptions_cls = self.elementFactory('QueryOptions')
            queryoptions = queryoptions_cls(batchSize=self.batchSize, caseSensitive=self.caseSensitive)
            
            query_response = self.client.service.query(
                            queryString=query, 
                            _soapheaders={'QueryOptions': queryoptions, 'SessionHeader': self.sessionheader})
            return query_response
            
        def typeFactory(self, type, ns='ns0'):
            return self.client.get_type(ns + ':' + type)
            
        def elementFactory(self, element, ns='ns1'):
            return self.client.get_element(ns + ':' + element)
            
        # wsdl:
        # create(zObjects: zObject[], _soapheaders={CallOptions: CallOptions(), SessionHeader: SessionHeader()})
        # -> Errors: Error[], Id: xsd:ID, Success: xsd:boolean
        
        def create(self, zObjectList):
            calloptions_cls = self.elementFactory('CallOptions')
            calloptions = calloptions_cls(useSingleTransaction=False)
            response = self.client.service.create(
                zObjects=zObjectList,
                _soapheaders={'CallOptions': calloptions, 'SessionHeader': self.sessionheader})
            return response
            
        # wsdl:
        # delete(type: xsd:string, ids: xsd:ID[], _soapheaders={SessionHeader: SessionHeader()}) 
        # -> errors: Error[], id: xsd:ID, success: xsd:boolean
        #
        # 50 objects are supported in a single call.
        # 1,000 calls are supported per 10-minute time window per tenant
    
        def delete(self, type, ids):
            assert len(ids) <= 50
            response = self.client.service.delete(
                    type=type,
                    ids=ids,
                    _soapheaders={'SessionHeader': self.sessionheader})
            return response
    
    
        def updateRecords(self, zObjects):
            saveResults = []
            for chunk in [zObjects[i:i + config.ZUORA_CHUNKSIZE] for i in range(0, len(zObjects), config.ZUORA_CHUNKSIZE)]:
                saveResults += self.client.service.update(
                            zObjects=chunk,
                            _soapheaders={'SessionHeader': self.sessionheader})
            return saveResults        
            
        # generate(zObjects: zObject[], _soapheaders={SessionHeader: SessionHeader()}) -> Errors: Error[], Id: xsd:ID, Success: xsd:boolean
        # https://knowledgecenter.zuora.com/DC_Developers/SOAP_API/E_SOAP_API_Calls/generate_call
        def generate(self, invoices): 
            return self.client.service.generate(
                        zObjects=invoices,
                        _soapheaders={'SessionHeader': self.sessionheader})
    
    

     

     



  • 53.  [Action Required] Zuora is Disabling TLS 1.0

    Posted 11-10-2016 15:44

    Here's a bit of code use in migration; it generates and posts an invoice for the day before the current fiscal year, then another for the first of each month, for all accounts.

     

    #!/usr/local/bin/python3
    
    import logging
    import datetime
    from dateutil.relativedelta import *
    import pdb
    from progressbar import ProgressBar
    
    import config
    from zuorasoap import ZuoraSoap
    
    
    
    def getZuoraAccounts(zuora):
        accountsByAccountName = {}
        result = zuora.query("select Id, Name, AccountNumber, Status from Account Where Status = 'Active'" )
        if result.size > 0:
            for record in result.records:
                accountsByAccountName[record['Name']] = record
    
        return accountsByAccountName
    
    
    def getInvoiceDates():
        invoiceDates = [config.INITIAL_INVOICE_DATE]
        nextInvoiceDate = config.INITIAL_INVOICE_DATE+datetime.timedelta(days=1)
        while nextInvoiceDate < datetime.date.today():
            invoiceDates.append(nextInvoiceDate)
            nextInvoiceDate += relativedelta(months=+1)
        return invoiceDates
        
    def main():
        logger = logging.getLogger("migration")
        logger.setLevel(logging.INFO)
        fh = logging.FileHandler("migration.log")
        formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
        fh.setFormatter(formatter)
        logger.addHandler(fh)
    
        logger.info("Runbills started")
    
    
        invoiceDates = getInvoiceDates()
        
                          
        zuora = ZuoraSoap(config.ZUORA_CONFIGFILE)
        accountsByAccountName = getZuoraAccounts(zuora)
    
        invoiceFactory = zuora.typeFactory('Invoice')
    
    
    
    
        progressbar = ProgressBar()
        for accountName in progressbar(accountsByAccountName):
            account = accountsByAccountName[accountName]
        
    
            for invoiceDate in invoiceDates:
                invoiceRecord=invoiceFactory(
                                    AccountId=account['Id']
                                    ,InvoiceDate=invoiceDate
                                    ,TargetDate=invoiceDate
                                    ,IncludesOneTime=True
                                    ,IncludesRecurring=True
                                    ,IncludesUsage=True)
                results = zuora.generate([invoiceRecord])
                for result in results:
                    if not result['Success']:
                        if len(result['Errors']) == 1 and 'no charges due' in result['Errors'][0]['Message']:
                            pass
                        else:
                            pdb.set_trace()
                            logger.error(invoiceRecord)
                            logger.error(result)
                    else:
                        invoiceId = result['Id']
                        results = zuora.updateRecords([invoiceFactory(Id=invoiceId,Status='Posted')])
                        for result in results:
                            if not result['Success']:
                                logger.error(result)
                            
        logger.info("Runbills exited")
    
    
    if __name__ == "__main__":
        main()
        pass