This post is intended to provide a brief, high-level description of Transport Layer Security (TLS) best practices as they relate to PI Web API. Microsoft and leading browsers are pushing to deprecate any security protocol version prior to TLS 1.2, and following these practices will allow systems using PI Web API to remain functional and secure.
- Systems should not hard-code the TLS version or cipher suite but should instead practice cryptographic agility and allow the operating system to choose the best security protocol and version. As protocol updates are introduced, this will ensure that systems are using the most secure technology.
- Systems should be configured to use the most secure TLS version (1.2+) where possible by disabling older security protocols at the OS level. Refer to Microsoft’s Transport Layer Security (TLS) registry settings for details on how to disable older TLS versions. Alternatively, Nartac Software's IISCrypto tool can assist with configuring your OS settings.
- TLS 1.2 is supported and enabled by default on all OS versions supported by PI Web API.
- PI Web API does not hard-code the TLS version and is compatible with TLS 1.0, 1.1 and 1.2.
- Refer to Microsoft’s Solving the TLS 1.0 Problem for additional information.