As of April 2021 (Informatica v10.5.0) TLS v1.3 is not supported. This version of the protocol is rather new, and will be considered for support for a later product release. No timeline, as of yet. No additional assessment is available.
"infasetup.sh listDomainCiphers -l ALL" will allow you to verify the cipher list.
The following steps can be followed to disabled to disable TLS1 and TLS 1.1, and retain only TLS 1.2 for Informatica services:
i) Shutdown domain(all nodes), and perform below changes
ii) Modify infaservice.sh to add -Dcom.informatica.ssl.EnabledProtocols=TLSv1.2 (or set it in the INFA_JAVA_OPTS environment variable where Xmx is an option defined. Search with "Xmx" in infaservice.sh file) - on all nodes.
// This step instructs Informatica java services to use only TLS1.2 protocol and not any lower protocol
iii) Modify java/jre/lib/security/java.security and add TLS1 and TLSv1.1 in the jdk.tls.disabledAlgorithms (so that even if application intents, java will prevent it) - on all nodes.
// This step helps all applications and processes using java to disable TLS1 and TLS1.1 protocols, so only TLS1.2 would be used.
Look for "jdk.tls.disabledAlgorithms" in INFA_HOME/tomcat/bin/infaservice.sh file and update the entry as below:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
EC keySize < 224, TLSv1, TLSv1.1
iv) For Native applications like CPP, TLS1 and TLS1.1 ciphers can be turned off by executing the following commands (updatedomainciphers and updategatewaynode) in the format below :
./infasetup.sh updatedomainciphers -cbl TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA (from any one of the gatewaynode)
./infasetup.sh updategatewaynode -cbl TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA (should be done on all gateway nodes)
// If there is any worker node in domain, use updateworkernode command and disable ciphers
// Once completed, you may then verify the ciphers used by domain as below :
./infasetup.sh listDomainCiphers -l ALL -dc true
// This will list default list, effective list and the ciphers that are blacklisted.
// After blacklisting is done, to check what ciphers domain is configured/using, verify the effective list.
v) To sync the nodemeta.xml ciphers and server.xml with effective ciphers list, use:
./infasetup.sh updategatewaynode -dn <DOMAINNAME>
./infasetup.sh updateworkernode -dn <DOMAINNAME>
vi) Clean up temp/cache files:
INFA_HOME/tomcat/temp/<remove all files and directories>
vii) Startup the domain.
Anytime later, if Infomatica is upgraded, then disabling TLS1 and TLS1.1 is a manual activity that has to be performed on upgraded version.