For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Open sourceSupportFAQsDocs Home
DocumentationAPI referenceRelease notes
DocumentationAPI referenceRelease notes
  • Platform On-Prem
    • Overview
    • Navigate
      • Platform
      • Properties and environment variables reference
        • HTTP headers
        • TLS/SSL
        • Configure server
    • Search resources
  • Apps
    • FlowAI
    • Itential Automation Gateway
  • Resources
    • Itential Academy
    • Version lifecycle
    • Itential MCP
    • Accessibility conformance
    • Get support
    • FAQs
LogoLogo
Open sourceSupportFAQsDocs Home
On this page
  • Configuration Methods
  • Set a specific TLS method
  • Set minimum and max versions
  • Examples
  • Considerations
  • Troubleshoot
Platform On-PremConfigureNetwork and security

Configure TLS

Was this page helpful?
Previous

Configure server

Next
Built with

Itential Platform supports TLS versions 1.0 through 1.3.

Configure TLS settings with environment variables or platform properties.

Use webserver_https_secure_protocol to set a specific TLS method, or use webserver_https_tls_min_version and webserver_https_tls_max_version to define a version range. When both are configured, min and max properties take precedence and the platform logs a warning.

For information, see Platform properties and environment variables.

Configuration Methods

Set a specific TLS method

Use to set a specific TLS method:

  • TLSv1_method, TLSv1_1_method, TLSv1_2_method: Restricts to that version only
  • TLS_method: Allows TLS v1.0 through v1.3, negotiating the highest mutually supported version

Set minimum and max versions

Use webserver_https_tls_min_version and webserver_https_tls_max_version to define a version range.

Defines an allowed version range. Takes precedence over webserver_https_secure_protocol.

Valid values: TLSv1.3, TLSv1.2, TLSv1.1, TLSv1

Examples

Allow TLS v1.0 through v1.3:

$ITENTIAL_WEBSERVER_HTTPS_SECURE_PROTOCOL=TLS_method

Restrict to TLS v1.2:

$ITENTIAL_WEBSERVER_HTTPS_SECURE_PROTOCOL=TLSv1_2_method

Restrict to TLS v1.3:

$ITENTIAL_WEBSERVER_HTTPS_TLS_MIN_VERSION=TLSv1.3
$ITENTIAL_WEBSERVER_HTTPS_TLS_MAX_VERSION=TLSv1.3

Allow TLS v1.2 and v1.3:

$ITENTIAL_WEBSERVER_HTTPS_TLS_MIN_VERSION=TLSv1.2
$ITENTIAL_WEBSERVER_HTTPS_TLS_MAX_VERSION=TLSv1.3

Considerations

Keep in mind these considerations:

  • TLS v1.3 uses a new handshake format incompatible with some older clients
  • When using TLS_method, the platform negotiates the TLS version with each client based on mutual support
  • TLS v1.0 and v1.1 have known security vulnerabilities
  • Configure using either secure_protocol or min/max properties, not both

Troubleshoot

If clients cannot connect, verify they support the configured TLS versions and check logs for handshake errors or configuration warnings.