000032846 - How to verify TLS v.1.2 is configured correctly in Authentication Manager 8.1 SP1 P13

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jun 15, 2018
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000032846
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 Service Pack 1 patch 13
IssueSecure Sockets Layer (SSL) connections use a protocol such as SSL ver. 3 or TLS ver. 1, and they use a cipher, such as RC4.

RSA Authentication Manager products generally;
  •  No longer use the older SSL2
  • Still allow SSL3, unless disabled with Authentication Manager SP1 P13, the TLS patch 
  • Prefer or default to using TLS ver. 1 aka TLS1 starting with Authentication Manager  8.1 SP1 P2
One immediate problem with Authentication Manager 8.1 SP1 P13 is that while the WebLogic server embedded in Authentication Manager supports TLS1_2, the openssl utility included in the SUSE Linux distribution does not.  So if you use openssl to test or prove that the Authentication Manager server works (and and prevents other protocols such as SSL v. 3 or TLS v. 1), you have to test from another platform, not from the Authentication Manager server itself.

This  article shows how to verify the TLS 1.2 configuration is working correctly, as well as shows some useful testing and troubleshooting techniques using the openssl utility.
TasksFind and use version 1.0.1 of openssl, which is not included in the SUSE Linux distribution provided with Authentication  Manager 8.1 SP1 P13 and earlier.  
Resolution
The openssl version will display the version of your openssl distribution.  On an Authentication Manager  8.1 SP1 P13 or earlier version of the SecurID appliance included ver. 0.98, which does not support TLS1_2:

 

openssl v. 0.9


Many later versions of Red Hat or Ubuntu include a later version of openssl, v. 1.0.1, 
 
openssl_ver_101


You can force openssl s_client to request a specific protocol such as TLS v. 1.2 with the -tls1_2 switch.  In this example 192.168.2.30 is an Authentication Manager 8.1 SP1 P13 SecurID appliance and :7004 is the Security Console and Self Service Console port
 

openssl s_client -connect 192.168.2.30:7004 -tls1_2


openssl_ver_09_tls12_syntax_error


You will get a syntax error with openssl v. 0.98 because TLS1.2 is not supported, so the -tls1_2 switch is a not supported unknown option.  But the same command with openssl version 1.0.1 or later works, the option is known and recognized.
 
openssl_ver_101_tls12


You will see the protocol listed lower in the display.
NotesEnabling TLS1_2 mode on Authentication Manager 8.1 SP1 P13 and later servers requires that RSA Authentication Agents for Windows that require auto-registration and offline data also be upgraded to agent 7.3 or later

Some openssl syntax examples:

openssl version
1.0.1 supports up to TLS ver. 1.2, 
openssl s_client -connect 192.168.2.30:7004
openssl s_client -connect 192.168.2.30:7004 -ssl3
openssl s_client -connect 192.168.2.30:7004 -tls1
openssl s_client -connect 192.168.2.30:7004 -tls1_1
openssl s_client -connect 192.168.2.30:7004 -tls1_2
openssl s_client -connect 192.168.2.30:7004 -showcerts


See also 000032627 - How to export RSA Authentication Manager 8.0 and 8.1 Web Tier Virtual Host Key Pair to a PFX file.

Attachments

    Outcomes