Symptoms
Salesforce is phasing out support for TLS 1.0, with a final cutoff date of March 2017. Our K2 Salesforce broker was originally only built to support TLS 1.0, which will cease to work when TLS 1.0 support is disabled by Salesforce. In 4.7, we added support for TLS 1.1 and higher. This is also available in 4.6.11 as a codefix. There is a KB article (http://help.k2.com/kb001764) that discusses the TLS change, but does not proactively cover some scenarios. Questions needing clarification include: 1. With these changes, will our customers continue to work with no changes when Salesforce updates their production security settings? 2. Or will they need to regenerate their Salesforce proxy and redeploy? 3. When will the new REST broker for Salesforce become available?
Diagnoses
In short, TLS 1.1 support requires .NET 4 (rather than .NET 1 or 2). Our SalesForce service instance generator was originally only built to use .NET 1 and 2. The "fix" (and the change in 4.7) is to include .NET 4 as an option when generating the service instance. How this affects customers depends on their current situation. If they have a 4.6.11 (or older) K2 installation, with an existing Salesforce service instance, and have NOT yet applied the codefix (available from support), then they must have TLS 1.0 support still enabled in Salesforce. This is only a viable option until March 2017. If they have a 4.6.11 (or older) K2 installation, but do NOT have an existing Salesforce instance, they should request the codefix from Support before generating a new instance, so they can take advantage of the support for .NET 4 and TLS 1.1+ If they installed K2 4.7 fresh, then when they generate their Salesforce service instance, it can be done leveraging .NET 4, thus supporting TLS 1.1 and higher. If they have upgraded to 4.7, with an existing Salesforce service instance, but have not yet regenerated it using .NET 4, then TLS 1.0 will have to enabled in Salesforce still. In order to use TLS 1.1+, the proxy must be generated on .NET 4. So, anyone who has existing service instances will need to regenerate the proxy using .NET 4. This will need to be done once, when they switch to using TLS 1.1. This can be before or after SalesForce permanently disables TLS 1.0 as an option.
Resolution
A documentation request has been logged for this. There are also still plans for a REST version of the Salesforce broker, but it does not have a target release date yet. The REST version of the broker will require a rebuild of solutions using Salesforce, rather than just recompiling a service instance.
