This document contains references to third-party documentation. Cisco AppDynamics does not own any rights and assumes no responsibility for the accuracy or completeness of such third-party documentation.

On-Premises Controller versions >=23.11 supports TLS >=1.2. The agents that support only TLS<1.2 will stop reporting when you upgrade the Controller to versions >=23.11.Therefore, when you upgrade the Controller to versions >=23.11, ensure that the Cisco AppDynamics agents also support TLS>=1.2.

Who is impacted?

All customers currently using Transport Layer Security (TLS) versions 1.0 and 1.1 to connect with AppDynamics. You are impacted if you meet one or more of the following conditions:

What is being deprecated?

Effective April 1, 2024, AppDynamics will no longer accept network connections utilizing TLS 1.0 and 1.1 protocols. TLS versions 1.0 and 1.1 are security protocols used to create encrypted network channels. 

Any agent or customer browser using TLS1.0 and 1.1 will not connect to the AppDynamics environment after April 1, 2024.

What actions are necessary?

Perform the following actions to check if you have enabled TLS 1.0 or 1.1 or if you are running an environment that will not support the newer TLS versions.

Actions Necessary for Java Agent

The Java Agent will not use TLS 1.2 in the following situations.

1. Ensure that you are not using Analytics Service with Java Agent versions older than 4.5.13. In those older versions, Analytics Service uses TLS 1.0 by default.

2. Ensure that you have not enabled TLS 1.0 or 1.1 in the java.security file. Run the following command to identify the disabled TLS versions in the java.security file.

   Command

   cat <JVM path or $JAVA_HOME>/conf/security/java.security | grep "^[^#;]*jdk.tls.disabledAlgorithms"
   OR
   cat <JVM path or $JAVA_HOME>/jre/lib/security/java.security | grep "^[^#;]*jdk.tls.disabledAlgorithms"

   CODE

   The output may include TLSv1 and TLSv1.1. The absence of TLSv1.1 and TLSv1 in the disabled algorithms of the java.security file does not guarantee that your environment is utilizing these versions. However, if TLSv1 and TLSv1.1 are specified to be used in a system property or environmental variable, the JVM will permit these older TLS versions.

3. Ensure that you are not using the APPDYNAMICS_JAVA_AGENT_TLS_ALLOWED_ALGORITHMS environmental variable.
4. Ensure that you are not using the -Dappdynamics.agent.tls.allowedAlgorithms system property.
5. Ensure that you are not using the appdynamics.agent.ssl.protocol system property to override the default settings.

Action Necessary for .Net Agent

The following actions are for applications targeting .Net Framework older than 4.7 (even when .Net Framework 4.7 or later is used as a runtime environment):

• If you are using .NET Framework 2.x-4.7 (32-bit and 64-bit)

• The application is targeting a version of the .Net Framework that is older than 4.7, regardless of whether the runtime environment is later than 4.7. For example, TLS 1.2 could not be used if the runtime framework was 4.8 but the application is compiled for the target framework 4.5.

To use TLS 1.2 for the conditions above, enable  SchUseStrongCrypto and SystemDefaultTlsVersions registries. This is to ensure that .Net Framework is not blocking TLS 1.2. See the Microsoft document Configure for strong cryptography for details.

HKEY_LOCAL_MACHINE\SOFTWARE[Wow6432Node]Microsoft.NETFramework<VERSION>: SchUseStrongCrypto
HKEY_LOCAL_MACHINE\SOFTWARE[Wow6432Node]Microsoft.NETFramework<VERSION>: SystemDefaultTlsVersions

TLS 1.3 is not supported on .NET Framework 3.5.

What if I have questions?

If you have any questions or concerns, contact our support portal.