Automate 10 and AWS Security changes


Automate 10 and AWS Security changes

TLDR; Automate 10 is capable of using TLSv1.2 and does not support AWS Signature V4. Advanced Workflow AWS Signature V4 support is coming in the late 2023 release of EFT.

 Does Automate 10(Advanced Workflow Engine) support TLS 1.2?

 Amazon announced that "TLS 1.2 [is] to become the minimum TLS protocol level for all AWS API endpoints". This means if your application doesn't support TLS 1.2, you will not be able to connect. You may see a message like:

Error: Amazon S3 will stop supporting TLS 1.0 and TLS 1.1 connections. Please update your client to use TLS version 1.2 or above. To learn more and to update your client, see https://go.aws/3AUlVSb. For further assistance, contact AWS support.AWE(Automate 10) uses SChannel. This means that it relies on the Windows operating system instead of its own SSL library. This means you likely will be affected on Deprecated versions of Windows such as Windows Server 2008 and Windows Server 2012. There are methods to change the default protocol version in these operating systems. You can find a Microsoft article of how to do that here and here.

We strongly recommend you use an operating system supported by Microsoft and supported by EFT. In our testing, Windows Server 2016 and above support TLS 1.2 by default. If changes were made but the above error is still thrown, the changes may need to be reviewed by Microsoft Support.

Does Automate 10 support AWS Signature Version 4?

Short answer: No, it doesn't, but that doesn't mean you can't still connect to S3. Review this document from AWS to confirm your bucket Region Name/Region supports Signature Version 2.

AWS Regions that state they do not support Signature Version 2 WILL allow you to connect for 2 hours before they force Signature Version 4 support.

If you find that after you create a bucket and successfully connect, a few hours later it may not work.

 Automate 10 logs:

Error : The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.

AWS s3 server side logs:

Success:

f53643c13ba7cbd1942f324aedff03770dcd2c5c7a76d7df0081a4bcb290b8c4 bucket-redacted [11/Aug/2023:17:45:42 +0000] ip-redacted arn:aws:iam::redacted:user/s3-user 2J6146FVMAEBQRXR REST.GET.LOCATION - "GET /?location HTTP/1.1" 200 - 137 - 24 - "-" "AutoMate S3Sync" - m4SB2QKKfKA5eub3hkNqYWYLK3zREfePn6HTId47gB++D3mcK7Pm0UDvLUR70AFgSVTuV3QbnAU= SigV2 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader redacted.s3.amazonaws.com TLSv1.2 - -

Failure:

f53643c13ba7cbd1942f324aedff03770dcd2c5c7a76d7df0081a4bcb290b8c4 redacted [11/Aug/2023:17:43:15 +0000] ip-redacted - FA5WQYHEWJ92GJY8 REST.GET.LOCATION - "GET /?location HTTP/1.1" 400 InvalidRequest 324 - 2 - "-" "AutoMate S3Sync" - lvOTutTcW8hXsHTlOyBkc1TSMcULyzaB+rgIng4hkY4egKI/0q0FqNPyj3UGuUZ4Xt0/2EZbD1Q= SigV2 - AuthHeader redacted.s3.amazonaws.com - - -

​In the success log, you can see Automate 10 using Signaturev2 and using TLS1.2. We recommend making sure the bucket region you are using supports Signature Version 2. EFT 8.2.X.X will support Automate 2022 which has support for AWS Signature Version 4.