API SERVICE DISRUPTION: March 1st, 2018

IBM Cloud will stop supporting TLS 1.0 and 1.1 on api.softlayer.com and api.service.softlayer.com

What Is Happening?

On March 1, 2018 at 0900 UTC (0300 CDT) IBM Cloud Infrastructure will stop supporting TLS 1.0 and 1.1 encryption on api.softlayer.com and api.service.softlayer.com; these API endpoints will only support callers using TLS 1.2 encryption levels or higher.

When Will It Happen?

On March 1, 2018 at 0900 UTC (0300 CDT) TLS 1.0 and TLS 1.1 will no longer be supported and TLS 1.2+ is required.

Who Will This Affect?

Any users with code or services that reference the softlayer.com API endpoints for IBM Cloud Infrastructure services with encryption levels older than TLS 1.2.

Confirming and Testing Upgrades to TLS 1.2 or Higher The enhanced security configuration is currently enforced on alternate endpoints. You can test your services against them now to ensure there will be no disruption once the primary endpoints receive the updated configuration:

• api-dev.softlayer.com (instead of api.softlayer.com)
• api-dev.service.softlayer.com (instead of api.service.softlayer.com)

These alternative endpoints only use encryption levels TLS 1.2 or higher. Successfully testing your code and services against these alternative endpoints means your code and services will work properly on the transition date. These alternative endpoints will only be available until the transition date.

What Do I Do Next?

1. Test your service against the alternative endpoints listed above.
2. If your code and service work as expected then update your production code to utilize TLS 1.2 in the current production environment and current production endpoints. Once that is complete no further action is required on your part.
3. If your code or service fails change your code to utilize TLS 1.2 and test against the alternative endpoints and upon working properly update production.

• The current production environment supports TLS 1.0, TLS 1.1 and TLS 1.2.
• Once you have completed your TLS 1.2 testing against the temporary end points you can make your production code changes to utilize the production TLS 1.2 at any time prior to March 1, 2018.
• Once your production environment is utilizing TLS 1.2 you have no further action.
• If you make your production changes before March 1, 2018 you should see no impact on March 1, 2018 when TLS 1.0 and TLS 1.1 are no longer available.

What Will Happen If I Make No Change?

If you make no change and your code or services do not support encryption levels TLS 1.2 or higher, you will start to experience connection errors on the transition date. These errors may appear as “transport errors” and contain messages like SSLV3_ALERT_HANDSHAKE_FAILURE. Your code and services will no longer function until you upgrade it to support TLS 1.2 or higher.

If My Code Starts Failing Do I Have Any Temporary Recourse? If you start to experience connection errors on the transition date, the best course of action is to upgrade your code or services to support TLS 1.2 or higher. If you cannot do that immediately, there will be alternative endpoints provided temporarily to allow you to upgrade your code or services:

• api-deprecated.softlayer.com (instead of api.softlayer.com)
• api-deprecated.service.softlayer.com (instead of api.service.softlayer.com)

These endpoints will become available on the transition date, and will continue to support TLS 1.0 and 1.1. You can change failing code or services to use these endpoints temporarily while you upgrade your systems to support TLS 1.2 or higher. These endpoints will only be available until March 30, 2018 to allow you to make this transition. You must upgrade all your systems and start using the standard API endpoints by March 1, 2018.

Why Are We Making This Change?

This is part of IBM’s commitment to offering a cloud that is secure to the core and in alignment with industry best practices for security and data privacy.