000037048 - After upgrading to RSA NetWitness Logs & Network 10.6.6.0, Active Directory authentication no longer works

Document created by RSA Customer Support Employee on Dec 25, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037048
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: SA Server
RSA Version/Condition: 10.6.6.0 and above
Platform: CentOS 6
IssueAfter upgrading to 10.6.6.0, users that authenticate using Active Directory are unable to login anymore.
CauseOne reason for this circumstance is if your Active Directory server is not configured to use TLS 1.2. For instance, Windows Server 2008 R2 may not have TLS 1.2 enabled right out of the box.
ResolutionYou have two solutions:
  1. Enable TLS 1.2 on the Windows Domain Controller. You may have to talk to your Active Directory administrators on how to best achieve this.
  2. Disable the TLS 1.0 and 1.1 restriction in the puppet recipes.
The rest of this KB article will show you how to accomplish the workaround.

NOTE: RSA recommends that you re-enable TLS 1.2 on the SA Server at your earliest convenience. This workaround is only meant to enable your Analysts to work while the change is being made on the Windows side. By making this change, you are making your system less secure.
WorkaroundSSH to the SA Server.
We will modify a puppet recipe and let the change propagate throughout the system.

vi /etc/puppet/modules/rsa-java/files/java.security.java8


You will see a line like the following towards the end of the file:

jdk.tls.disabledAlgorithms=SSLv3,DES,DESede, TLSv1, TLSv1.1, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384

Note that TLSv1 and TLSv1.1 are in this list. We will be removing these values from this comma-separated list. We will then be left with the following:


jdk.tls.disabledAlgorithms=SSLv3,DES,DESede, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384

Save this file. Then, we will propagate the changes using puppet with an agent run.


puppet agent -t

This will cause the jetty/UI service to restart. If it does not restart itself during the run, then you'll need to do it manually.


stop jettysrv
start jettysrv

Then, attempt to login to the UI using your Active Directory login credentials and see if this resolved your issue.




 
NotesIf you are still having an issue, please submit a case to RSA Technical Support and quote this KB article for further assistance.

Attachments

    Outcomes