|Applies To||RSA Product Set: Access Manager|
RSA Product/Service Type: Access Manager Server, Access Manager Runtime API, Access Manager Administrative API
RSA Version/Condition: 6.2 SP4 Server / 6.2 SP3 and earlier Runtime API / 6.2 SP3 and earlier Administrative API
|Issue||After upgrading Access Manager Servers to version 6.2 SP4, clients using an older Runtime API or Administrative API (6.2 SP3 or earlier) fail to connect to the Server and log an exception similar to the following:|
When connecting to the Entitlements Server, the eserver.log file may provide additional information:
|Cause||In Access Manager 6.2 SP4, all cipher suites with names containing the keywords in the list below, have been disabled and are no longer supported:|
Any clients using the Runtime API or Administrative API, with cipher suites that only match these patterns, will cause the exception.
|Resolution||Client applications should be recompiled with the Access Manager 6.2 SP4 Runtime API and Administrative API libraries.|
Setting the parameter cleartrust.net.ssl.excluded_cipher_suites in the Access Manager Server configuration files (aserver.conf, eserver.conf, dispatcher.conf, iserver.conf, keyserver.conf, lserver.conf, and selfservice.conf), allows you to override the default list of excluded cipher suites for RSA Access Manager Server. The Server can, therefore, be made backward compatible with the 6.2 SP3 and earlier Runtime API and Administrative API by setting this parameter in the configuration files.
The default setting used by Access Manager Server 6.2 SP4 if the parameter is not specified in the Server configuration files is:
That setting prevents all those weak ciphers from being used.
To allow a specific cipher, you should add this parameter to the Server configuration files, with the required cipher omitted from the list. For example, if 3DES is needed, the parameter should be specified with 3DES omitted, as follows:
If you are unsure of which cipher you need to use, you can remove all ciphers from the exclusion list by setting the parameter to: