Share This:

Do you integrate any systems with Salesforce?


Maybe you use Pentaho to pull data from an onsite source and push it up to Salesforce.  Great examples of this would be taking data from BMC Discovery and using Pentaho to upload the data into the Remedyforce CMDB.


Or, maybe you have an internal web page written in Ruby or Python that calls code to use the Salesforce APIs to access our Service Requests via their unique URL.


The options are probably endless.  Either way, in this day and age, everything talks to each other, and as you can imagine, security is important.  With this idea in mind, Salesforce has decided to begin disabling TLS 1.0 to any incoming or outgoing connects with Salesforce.


While we would love to try and cover every situation where you may see issues, we can’t possibly cover them all.  What we can do is provide you the tools and information you’ll need to begin testing now.


First, you’ll want to read the following:


Salesforce disabling TLS 1.0


This document is constantly being updated by Salesforce and will have ALL the information you’ll need about the upcoming transition.   There’s a few things we’d like to point out.


When will Salesforce disable TLS 1.0 encryption?


TLS 1.0 Disablement Schedule

New production
orgs created with Summer '16 or later

New production orgs created with Summer '16 or later will require
TLS 1.1 or later in HTTPS connections to or from the org.

Sandbox orgs created from a production org will inherit the TLS requirements of your production org. As such, if a production org created with Summer '16 or later creates a sandbox org, those sandbox orgs will also require TLS 1.1 or later in HTTPS connections.

The "Require TLS 1.1 or higher for HTTPS connections" CRUC setting will not be available in both production orgs created with Summer '16 or later and sandbox orgs created from such production orgs.

Sandbox orgs

June 25, 2016, at 9:30 AM PDT (16:30 UTC)

Production orgs

March 4, 2017, at 9:30 AM PST (17:30 UTC)

    other services

       Early 2017


On June 25, 2016 all Sandboxes will have TLS 1.0 disabled.  This is important to know.


The document Salesforce disabling TLS 1.0  has a ton of information that you and your partner should carefully go through and consider.  It covers making sure that users browsers are on a version that supports TLS 1.1 and higher, action required for any API (inbound) integrations, and steps call-out (outbound) integrations, just to name a few areas the Salesforce Knowledge Article covers.


Other resources that have been provided by Salesforce is a TLS Readiness Checklist.  It’s attached to the Knowledge Article, but can be found here.


Another great resource would be to sign up for the upcoming Salesforce TLS 1.0 Disablement (RRFA) webinar being hosted by Salesforce.


Lastly, please check your version of Pentaho.  Launch Pentaho by clicking on Spoon.bat.  Once it loads, navigate to About and check the Version.  Anything prior to 6.0 will not be able to communicate with Salesforce. It will need to be updated. Remember Pentaho is a zip file, so to “upgrade” you can download the latest release here and either install in a new directory and move your packages over or you can try and unzip to the existing directory and update all files.  We also suggest updating Java to 8.0 on the machine running Pentaho as Java 8.0 no longer supports TLS 1.0.


Remember….always test in your Sandbox first!  We hope this blog post points you in the right direction of all the information you’ll need.


Update Tuesday, June 14, 2016:  Salesforce is hosting a Webinar to discuss the upcoming changes slated for all Sandboxes.  The URL for the webinar is here:  Salesforce TLS 1.0 Disablement (RRFA).  The webinars are held at two different times (you can select which one fits for you):


  • Wednesday, June 16, 2016 @ 6:00PM CDT
  • Thursday, June 16, 2016 @ 9:00AM CDT


Remember, Sandboxes will have TLS 1.0 disabled as of Saturday, June 25, 2016.  You can also enable the Critical Update: Require TLS 1.1 or higher for HTTPS connections.  On any Orgs created after June 11, 2016 TLS 1.0 is disabled automatically.


Update Thursday, June 16, 2016: I hope you were able to catch the Salesforce TLS 1.0 Disablement (RRFA) webinar.  I attended the one last night and they had a LOT of great information.  First and foremost, always check back on the Salesforce Knowledge Article Salesforce disabling TLS 1.0 for the latest and greatest information.  I have attached the presentation they gave to this blog along with a recording of the session!


One feature they mentioned which is sure to help you in this process.  In Salesforce Summer 16 you can now run a Login History report to show those connections which are coming into Salesforce over TLS 1.0.  Details are here:


1.  In Salesforce in Quick Find type "Login" and search.  Select "Login History".


2.  Under File Contents, click the drop down and select "TLS 1.0 Logins ONLY".




3.  Click on "Download Now".


You'll have a CVS file that will show you all of the inbound connections coming over TLS 1.0.  This will give you a good idea of what will need remediation so you can build a plan around getting those corrected.