Be advised that the Watson IoT Platform will be making updates in relation to TLS versions and cipher suites in the next 30 days. You should read this blog to understand what is being changed and why.
Why are these changes happening?
This is in alignment with IBM Cloud policy and industry best practices for security and data privacy. IBM cloud previously announced the withdrawal of support for TLS 1.0 and 1.1.
What is it all about, and am I impacted?
TLS is used to encrypt communications across a network to ensure that data transmitted remains private. You can read more about the details of TLS from one of our previous blogs where we announced that we were turning TLS on by default for new Watson IoT Platform organizations. Most connections should already use TLS 1.2. If your connections do not require TLS 1.0 or 1.1 you are not impacted.
What are the changes to?
In this first update, you will notice that the major change will be for connections for the non-messaging endpoint for the Watson IoT Platform. To put this into context for you there are 2 endpoints that your IoT solutions are potentially using from the Watson IoT Platform:
- Messaging Endpoint (MQTT and HTTP) typically devices, but this can also be applications
- Non-messaging Endpoint (APIs) typically applications.
For a more comprehensive overview of the security features within the Watson IoT Platform, you can review the official documentation.
What is happening now?
Here is a summary of how things will look after these changes have taken effect in the next 30 days:
- Messaging Endpoint (MQTT and HTTP) :
- Continues to support TLS 1.2 and 1.1
- Enhance the messaging endpoint with newer cipher suites
- Continues to support TLS 1.2 and removes support for 1.1 and 1.0
You can view the official documentation for TLS requirements.
What are we proposing in the future?
Once the above changes are made we will be intending to further refine the connection security of the Watson IoT Platform by removing support for TLS 1.1 on the messaging endpoint, this will require devices to support TLS 1.2 as a minimum.
As always we welcome your feedback.