What you need to know about TLS 1.2 and ArcGIS
As of April 16, 2019, Esri is planning to require TLS 1.2 connections for ArcGIS Online Services. If this rings a bell, you may have received a few emails about this over the last few months or come across it in a technical article. Wondering if this is something that applies to you? Confused about what software is impacted? Don’t worry, we’ve got you covered.
TLS or ‘Transport Layer Security’ is a networking protocol you use whenever you access ArcGIS Online services, such as basemaps, hosted services you’ve published, geoprocessing services like the World Geocoding Service, and the Living atlas from ArcGIS Desktop, ArcGIS Enterprise or other applications.
Even if you don’t regularly log into ArcGIS Online, you may still be using some of these services. For example, do you use the basemap gallery button in ArcMap? By default, this gallery consumes the Esri basemaps from ArcGIS Online.
So, what does this mean for you?
The TLS protocol is used for communication between different components of the ArcGIS platform, such as ArcGIS Desktop, ArcGIS Enterprise and ArcGIS Online. Currently, connections can be made to ArcGIS Online using TLS 1.0, 1.1 and 1.2. After this update occurs, only connections via TLS 1.2 will be accepted. This means that whatever application or software interacts with these services needs to support TLS 1.2 as well, or it will run into problems after the switch.
There are quite a few documents and technical articles about this depending on what software you are using, but your first stop should be the main TLS support page. This gives a good overview of what TLS is, why you might be impacted and what your next steps should be, as well as linking to a variety of other resources. You can also subscribe to the main TLS support page to receive a notification if there are any changes or updates.
If you want a general overview of what software is impacted, look at the TLS Products page.
The steps you need to take may vary depending on what products you work with, but in many cases, it may be something simple like installing the TLS 1.2 patch for ArcMap. If you only use products that already use TLS 1.2, such as Pro 2.0 and above, then you may not need to make any changes. Even if you think you aren’t impacted, it is strongly recommended you review the main TLS page and Products page to make sure you haven’t missed anything. Better safe than sorry.
So, you’ve installed the relevant patches or taken other required steps and done your homework, but you want to double check that you can connect to TLS 1.2 only services. No problem. There are test services you can and should use to try this out and make sure everything is working as expected before the switch on April 16.
Lastly, here are a few commonly asked questions about TLS 1.2 we’ve come across in Esri Canada Technical Support.
Do I need to install the patch on each computer with ArcGIS Desktop?
Yes, each machine should have the version of the patch which matches the version of ArcGIS Desktop installed.
I’m not sure if my custom app or tool that integrates with ArcGIS will be impacted. What should I do?
If you are the developer, look over the list of our products affected to check if the product you are working with is there. If you are an end user, reach out to the creator of your app or tool and check with them, they should be able to review the main TLS page and confirm. Either way, remember there are test services you can use to try this out and make sure there are no unexpected problems.
I use an older version of ArcGIS Desktop where there is no patch – what should I do?
First, consider if it is possible to upgrade to a newer version. Patches have been released for all versions from 10.2.1 onwards, and if you are at an earlier version, you are missing out on significant new functionality and improvements. In addition, Desktop 10.2.x is in the mature support phase of its product lifecycle and will be retired as of July 2019. If upgrading is not possible, you will need to configure the Windows operating system to use TLS 1.2 as an alternative.
If TLS 1.2 impacts ArcGIS Online services, why would ArcGIS Enterprise be impacted?
Although ArcGIS Enterprise is installed on your own infrastructure, it may still be consuming or interacting with services from ArcGIS Online depending on your setup. Read over this technical article that discusses that type of workflows in ArcGIS Server and Portal that would be impacted by this, as well as next steps.
Do you have questions not answered here? Here are a few more resources:
FAQ: What do I need to know about TLS and the ArcGIS platform?
ArcGIS Platform SSL/TLS Support and Configuration Briefing
If you still have more questions or would like clarification on anything discussed in these resources, don’t hesitate to leave a comment below or reach out to Esri Canada’s Technical Support team, we will be happy to help.