000039461 - After upgrading to RSA NetWitness 11.4 or later Active Directory is not able to establish a connection

Document created by RSA Customer Support Employee on Nov 19, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039461
Applies ToRSA Product Set: RSA NetWitness Logs & Network
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.4.x and 11.5.x
IssueAfter upgrading to RSA NetWitness 11.4 or later Active Directory is no longer connected over SSL when using a DH key length less than 2048.

/var/lib/netwitness/uax/logs/sa.log:
 

ERROR com.rsa.smc.sa.admin.web.controller.ajax.AuthenticationProviderController - Test connection failed
com.rsa.asoc.launch.api.transport.client.TransportClientException: Accepted DH prime length is 2048 or higher
at com.rsa.asoc.launch.api.transport.client.ClientResponseUtils.handleError(ClientResponseUtils.java:99)
at com.rsa.asoc.launch.api.transport.client.AmqpTransportClient.doSendAndReceive(AmqpTransportClient.java:118)
at com.rsa.asoc.launch.api.transport.client.AmqpTransportClient.send(AmqpTransportClient.java:69)


Active Directory users are no longer able to login. When testing the connection in Admin > Security > Settings > Under Active Directory Configurations, select the AD instance and click on the Test button:

User-added image
CauseIn RSA NetWitness 11.4, we upgraded our BSAFE libraries to comply with FIPS, as a result, we now require using a DH key length of 2048 to establish SSL/TLS connections.
ResolutionWe recommend upgrading the DH key length of the Active Directory to 2048 or greater to establish the SSL/TLS connection.  A DH key length of 1024 is no longer FIPS compatible.

The following reference is where to configure a DH key length from Microsoft, the advisory is configuring a 1024 DH key whereas we are suggesting 2048:

Microsoft security advisory: Updated support for Diffie-Hellman Key Exchange

Attachments

    Outcomes