TLS 1.0 Vulnerability in TPAM (4314273)

Enhancement request number BFER8720 has been included in TPAM 2.5.920.  From the TPAM 2.5.920 Release Notes:

"Added a global setting to set the minimum acceptable TLS level (1.0 through 1.2). This global setting applies to all inbound communication to the TPAM Web application, as well as the inter-appliance communication for all TPAM appliances in a cluster. Outbound communication to managed targets will attempt to communicate using TLS 1.2 (where applicable), but can be permitted to negotiate down to lower levels if the target device does not support TLS 1.2. For more information see the TPAM System Administrator Guide.

IMPORTANT: DPA v3 used for PSM requires a TLS setting of 0 (TLS 1.0)."

There is also further detail regarding the Global Setting for "Minimum TLS Version" in the TPAM 2.5.920 Administration Guide.

"This global setting applies to all inbound communication to the TPAM Web application, as well as the inter-appliance communication for all TPAM appliances in a cluster.

IMPORTANT: Any time this setting is changed a reboot of the appliance is required for the setting to take effect for the primary AND replicas. This change does not affect the TLS setting on the DPA.

0 - TLS 1.0-1.2

2 - TLS 1.2

Outbound communication to managed targets will attempt to communicate using TLS 1.2 (where applicable), but can be permitted to negotiate down to lower levels if the target device does not support TLS 1.2.

IMPORTANT: DPA v3's require a TLS setting of 0. TPAM will not allow you to set a TLS value of 1 or 2 if you have any DPA 3's assigned to systems for PSM affinity. There is a DPA Affinity report in the /tpam interface to view DPA assignments."