How to enable or disable strict TLS 1.2 mode in RSA Authentication Manager 8.2

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2

 

The most recent Payment Card Information Data Security Standard (PCI DSS) recommends using the Transport Layer Security (TLS) 1.2 cryptographic protocol for secure network communications. RSA Authentication Manager supports a strict TLS mode that only uses TLS 1.2 for communication within your Authentication Manager deployment.

By default, new RSA Authentication Manager 8.2 deployments use TLS 1.2. RSA Authentication Manager 8.1 Service Pack 1 (SP1) Patch 13 or later includes a TLS 1.2 Mode Update. If you applied the TLS 1.2 Mode Update to your SP1 deployment, then your upgraded version 8.2 deployment uses TLS 1.2. If you did not apply the TLS 1.2 Mode Update, then your upgraded version 8.2 deployment uses SSL 3.0, TLS 1.0, and TLS 1.1.

When Authentication Manager 8.2 uses strict TLS 1.2 mode, trusted realm authentication is only available with RSA Authentication Manager 8.1 Service Pack 1 (SP1) Patch 13 or later realms, in which you have applied the TLS 1.2 Mode Update. Disabling TLS 1.2 mode allows trusted realm authentication between Authentication Manager 8.2 and earlier versions of Authentication Manager that do not use TLS 1.2.

You can enable and disable the strict TLS 1.2 mode in Authentication Manager 8.2. To do so, perform the following procedure on the primary instance and each replica instance. Updating the primary instance automatically updates the web tier, but restarting the web tier is required for the changes to take effect.

 

This article addresses how to enable TLS 1.2 mode in RSA Authentication Manager 8.2 so that SSLv3, TLS 1.0 and TLS 1.1 are not allowed to be negotiated down.

To enable or disable strict TLS 1.2, follow the steps below: 

1. Log on to the appliance with the rsaadmin user ID and the current operating system password:
   1. On a hardware appliance, log on to the appliance using an SSH client.
   2. On a virtual appliance, log on to the appliance using an SSH client, the VMware vSphere client, the Hyper-V Virtual Machine Manager Console, or the Hyper-V Manager.
2. Change directories to /opt/rsa/am/utils.
3. Run the commands listed below.  Note:  To restart all of your RSA Authentication Manager services later, you must remove restart from the following commands:
   1. To enable strict TLS 1.2 mode, type:

./rsautil store -a enable_min_protocol_tlsv1_2 true restart

2. To disable strict TLS 1.2 mode so that your deployment can support SSL 3.0, TLS 1.0, and TLS 1.1, type:

./rsautil store -a enable_min_protocol_tlsv1_2 false restart​

4. (Optional) If you decided to manually restart all RSA Authentication Manager services, do the following:
   1. Change directories to /opt/rsa/am/server.
   2. Type:

./rsaserv restart all

5. Repeat steps 1 - 4 for each Authentication Manager instance in your deployment.
6. Restart the web tier.
   1. On the web tier server, go to the RSA_WT_HOME/webtierBootstrapper/server directory, where RSA_WT_HOME is the web-tier installation directory.
   2. On a Windows server, launch Windows services then restart the web tier services.
   3. On a Linux server, type the following command:

./rsaserv restart all

Refer to the article entitled What are the limitations of strict TLS 1.2 mode in RSA Authentication Manager 8.2? for more information.