000028965 - How to configure AES ciphers for the RSA Authentication Manager 8.1 Security Console

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 8Show Document
  • View in full screen mode

Article Content

Article Number000028965
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition:  8.1
IssueAccess to the Authentication Manager 8.1 Security Console was lost after disabling the RC4 ciphers in client browsers or computers.
 
TasksTo resolve this issue, following tasks must be performed:
  1. Access the Authentication Manager server via command line.
  2. Modify the config.xml file.
  3. Restart the Authentication Manager services.
ResolutionHere’s a way to disable the RC4 cipher in a browser so that when connecting to the Authentication Manager Security Console, it does not negotiate using RC4 ciphers.  There is also something to be done on the Authentication Manager  server side to support non-RC4 Ciphers.  Here’s the outline.
 
Browsers can be configured to use non-RC4 ciphers.  These connections from the client workstation to the Authentication Manager consoles can be established via TLS and AES ciphers.  These connections from the client workstation to the Authentication Manager consoles can be established via TLS and AES ciphers. 
Some argue that the most secured mode possible is TLS 1.2 using RC4-128-SHA1, however once the RC4 ciphers are disabled, the connection will fail unless you enable another cipher for the Authentication Manager console in the config.xml file, such as AES.
Steps on how to disable RC4 ciphers on browsers are below.

Microsoft Internet Explorer 11


On the PC running the browser, open regedit and do the following:

  1. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]"Enabled"=dword:00000000
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]"Enabled"=dword:00000000
  3. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]"Enabled"=dword:00000000

Mozilla Firefox 33


On the PC running the browser, launch Firefox and do the following:

  1. In the address bar, type about:config and press Enter.
  2. Set the value for security.ssl3.ecdh_ecdsa_rc4_128_sha to false.
  3. Set the value for security.ssl3.ecdh_rsa_rc4_128_sha to false.
  4. Set the value for security.ssl3.ecdhe_ecdsa_rc4_128_sha to false.
  5. Set the value for security.ssl3.ecdhe_rsa_rc4_128_sha to false.
  6. Set the value for security.ssl3.rsa_rc4_128_md5 to false.
  7. Set the value for security.ssl3.rsa_rc4_128_sha to false.
Note:  If you disable all RC4 ciphers, you will have to copy the ciphers from the biztier and add them to console 7004 port in the config.xml.  To do this,
  1. SSH to the Authentication Manager 8.1 primary.
  2. Navigate to /opt/rsa/am/server/config.
  3. Run the following command:
cat config.xml | grep AES

  1. The section of the file regarding AES cipher suites will display as below:
User-added image

  1. Highlight the following lines and paste them into a text editor.
User-added image

User-added image

 
  1. Make a backup of the config.xml then edit the working copy.  Find the <listen-port> of 7004.  The RC4 cipher suite should be right above it.
User-added image

 
  1. Paste in the cipher suites copied above as in the sample below:
User-added image
 

User-added image

  1. Use the command :wq! to save or :q! to quit without saving.
  2. Navigate to /opt/rsa/am/server and run the following command to restart the Authentication Manager services.
./rsaserv restart all

  1. After the services are completely started, access the Security Console.  
  2. Check your connection using browser tools.

Attachments

    Outcomes