Transition to Approved TLS Ciphers in Oracle Integration

Introduction

In conjunction with evolving security standards, Oracle Integration has decided to remove support for deprecated ciphers in the coming months. This measure ensures that only robust encryption methods are used for data transmission. By shifting to stronger ciphers, Oracle Integration users can maintain secure connections and prevent vulnerabilities tied to deprecated cryptographic methods.

Note that email notifications will be sent to provide you with sufficient time to implement the necessary changes.

What is happening?

If you are an Oracle Integration Generation 2 customer

Support for the following deprecated ciphers in Oracle Integration Generation 2 will be discontinued in the future.

• Affected Cipher:
  • DHE-RSA-AES256-GCM-SHA384

If you are an Oracle Integration 3 customer

Support for the following deprecated ciphers in Oracle Integration 3 will be discontinued in the future.

• Affected Ciphers:
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-SHA256
  • DHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES256-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384

Action Required

Ensure that all client applications interacting with Oracle Integration (including third-party applications) update their TLS libraries to use the following approved ciphers:

• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-RSA-AES256-GCM-SHA384

Note: If the client applications are using deprecated ciphers, then they will no longer work once these ciphers are removed. Therefore, if you are using multiple application clients to interact with Oracle Integration services, including third-party ones, then ensure that all the applications upgrade their TLS library to use one of the approved ciphers.

How to Update Approved TLS Ciphers?

• Identify Third-Party Applications Using the Deprecated Ciphers.
  • Replace usage of any mentioned deprecated ciphers with the approved ciphers in all client libraries.
• Test Integration Connections:
  • Verify connections post-update to ensure that all secure data transmissions are functioning as expected.
• Consult Oracle Integration Support:
  • Contact Oracle Support for any further questions.

Frequently Asked Questions   

Question: How can I identify if I am using an affected cipher?

Answer: The deprecated ciphers are most likely not used by most clients. However, to assist you, Oracle will monitor your host’s cipher usage and notify you if an unsupported cipher is detected.

Question: How can I remove the affected cipher?

Answer: The process depends on the client application and the underlying technology stack. To ensure a seamless experience:

• Add the approved ciphers to your list of supported ciphers.
• TLS will select a cipher supported by both the client and the server during the handshake.

You can verify if ciphers are disabled on your client by consulting the client documentation. For example, JDK clients use the property jdk.tls.disabledAlgorithms to disable unwanted ciphers. Refer to the Oracle JDK security documentation for more details.

Question: How can I change to a supported cipher?

Answer: Changing to a supported cipher depends on the client application and the underlying technology stack. In most cases, you can resolve this by upgrading the underlying technology, such as:

• JDK (Java Development Kit)
• Python runtime
• C#/.NET libraries
• Browser (for UI-based clients)

Refer to your specific client or technology stack documentation for detailed instructions.

Question: What errors or problems might occur if the deprecated cipher is not removed?

Answer: Either of the following scenarios can be expected:

• If your client application cannot remove a deprecated cipher, but can add a stronger and approved cipher, Oracle will automatically negotiate TLS using the stronger cipher, and no impact will occur.
• If the client application mandates the use of a deprecated or insecure cipher, it will fail to invoke integrations after the change.

To avoid such issues, ensure the approved ciphers are enabled for seamless integration.

Summary

This measure is part of Oracle’s commitment to use the latest and most secure security protocols available for data transmission. Updating the client applications to these ciphers will help you to maintain uninterrupted access to your Oracle Integration instance.