The services running in PE support versions 1, 1.1, and 1.2 of the Transport layer security (TLS) protocol but use TLSv1 by default. The Payment Card Industry Data Security Standard (PCI DSS) requires TLSv1 to be permanently disabled by 30 June, 2018. To comply with PCI DSS, or simply to tighten your own security, disable TLSv1.
PE uses TLSv1 by default because the pxp-agent service running on older Puppet agents use TLSv1. You can disable TLSv1, but the first step is upgrading your agents to 2016.4.
On the classes tab, add the following parameter and value:
Note: AIX supports only TLSv1. If you disable TLSv1, install AIX agents with your own package management instead of PE package management.