Possible action required: Test applications before March 14 to prepare for CAS changes

    January 21, 2021

    **** Note: This article was updated on March 3, 2021, to reflect the specific date of the change; the date was not yet available at the time of the original publication.

    Summary

    • Central Authentication Service (CAS) will discontinue support for Transport Layer Security (TLS) protocols 1.0 and 1.1 occurring on March 14.
    • Possible action required: Individuals responsible for services, applications, or websites should test these items prior to March 14. A new environment has been created for this purpose.

    Details

    Central Authentication Service (CAS) will discontinue support for Transport Layer Security (TLS) protocols 1.0 and 1.1 on Sunday, March 14.

    Overview

    Network security architecture relies on the Transport Layer Security (TLS) protocol for ensuring interaction with CAS over the internet occurs securely without transmissions being vulnerable to outside entities. TLS encrypts a channel between two endpoints (e.g. between a web browser and web server) to provide privacy and reliability of data transmitted over the communications channel.

    Out of concern for known vulnerabilities in TLS 1.0 and TLS 1.1 and to comply with industry standards, beginning Sunday, March 14, 2021, CAS will only support TLS 1.2 network connections from your applications. Your applications will need to connect to CAS using the TLS 1.2 protocol prior to March 14, 2021, to avoid any interruption in service. Support for TLS 1.0/1.1 will be discontinued at that time.

    Possible action required

    • It is important that all application owners test their CAS-protected services with this new version and address any issues as soon as possible.
    • The test instance of CAS is live.
    • Application owners will only need to test systems that authenticate against CAS directly. No action is required for applications that integrate with Shibboleth over SAML. All Shibboleth testing will be handled by the IAM team.

    Need help?

    A Confluence page has been created with additional details about this change including development guidelines.

    Direct questions and issues to the Identity and Access Management (IAM) team.

    Thank you for your support of this important initiative.

    CHG0077894