Disable TLSV1 in PE

This version is out of date. For current versions, see Puppet Enterprise support lifecycle.
Sections

The services running in PE support versions 1, 1.1, and 1.2 of the Transport layer security (TLS) protocol but use TLSv1 by default. The Payment Card Industry Data Security Standard (PCI DSS) requires TLSv1 to be permanently disabled by 30 June, 2018. To comply with PCI DSS, or simply to tighten your own security, disable TLSv1.

PE uses TLSv1 by default because the pxp-agent service running on older Puppet agents use TLSv1. You can disable TLSv1, but the first step is upgrading your agents to 2016.4.

  1. Upgrade your *nix or Windows Puppet agents.
  2. In the console, click Nodes > Classification > PE Infrastructure.
  3. On the classes tab, add the following parameter and value:

    Parameter Value
    puppet_enterprise::ssl_protocols ["TLSv1.1", "TLSv1.2"]
  4. Click Add parameter, and commit changes.
  5. In a monolithic installation, run Puppet on the Puppet master. In a split installation, run Puppet on the Puppet master, PE console, and PuppetDB nodes.

Note: AIX supports only TLSv1. If you disable TLSv1, install AIX agents with your own package management instead of PE package management.

See an issue? Please file a JIRA ticket in our [DOCUMENTATION] project
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.