Coupa will soon be disabling the TLS 1.1 encryption protocol. TLS 1.1 is used to connect to supplier's punchout catalogs and send and receive cXML POs and invoices. Additionally, IE9 and IE10 may need to reconfigured to support this change.
To ensure that there is no disruption in service, please ensure you've enabled TLS 1.2 by December 4, 2020.
Frequently Asked Questions
Why is Coupa disabling TLS 1.1?
TLS is a data security standard for encrypting the connection between systems. TLS 1.1 is an old version of TLS and is no longer considered secure. TLS 1.2 or greater are the accepted versions used across the industry.
When is Coupa disabling TLS 1.1?
We'll disable TLS 1.1 for Sandbox instances on November 1, and for Production instances on December 4, 2020. We’ll send admins a maintenance notification with the exact window of when we’ll make the change.
What is the impact on my organization?
All Coupa Administrators need to make sure their current Punchout and cXML based suppliers, as well as their user’s browsers and mobile devices, support TLS 1.2 or higher.
The change to disable TLS1.1 will require minimal scheduled downtime to your Coupa instance. You will be notified through our normal maintenance notification process of the exact date and time allowing you to prepare accordingly.
This change will affect all of Coupa’s products: our core platform and apps, power apps, and third-party services.
How do I prepare for TLS 1.1 End of Support?
You'll need to ensure a few different systems are ready to support TLS 1.2 including:
- All browsers currently supported by Coupa already enabled TLS 1.2 or later. You may need to reconfigure older browsers to support TLS 1.2.
- All integrations that access Coupa must support TLS 1.2 or later once the change is made. Take the opportunity prior to the migration to validate your active integration in the Coupa sandbox environment for your relevant integrations:
- API Integrations: applications accessing Coupa through the REST API will have to ensure that TLS 1.2 or later is enabled to be used for API communication with Coupa. Coupa Admins need to validate any integrations accessing the Coupa REST API in their sandbox environment, prior to the time of migration.
- Supplier Integrations: cXML PunchOut / Purchase Order/ Invoice Integrations being received from suppliers and other external vendors will have to be sent using TLS 1.2 or later
- Coupa Flat File (SFTP) Integrations: no changes are required for applications that currently send or retrieve data from the Coupa SFTP sites. SFTP communication does not rely upon TLS.
How do I test my integrations?
To test any of outbound connections, follow these steps:
- Sign into a test environment where supplier punchout sites are configured.
- Change the configuration in each supplier punchout site to: TLSv1_2.
- Test the punchout site again. If you are able to enter the punchout site successfully and bring a cart back into Coupa then that supplier is compliant with our upcoming change. If it does not work, then the supplier will not be compliant with our change. If this is the case, we recommend all Coupa Admins to contact that supplier to understand their plan to support these higher versions of data security.