000032846 - How to verify TLS v.1.2 is configured correctly in Authentication Manager 8.1 SP1 P13

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000032846
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 Service Pack 1 patch 13
Platform: Suse Linux 11
 
Issue

Secure Sockets Layer, SSL connections use a protocol such as SSL ver. 3 or TLS ver. 1, and they use a Cipher, such as RC4.
RSA Authentication Manager products generally;
 - no longer use the older SSL ver. 2, aka SSL2
 - still allow SSL v.3, aka ssl3 unless disbled with AM SP1 P13, the TLS patch 
 - prefer or default to using TLS ver. 1 aka TLS1 starting with AM version 8.1 SP1 P2
One immediate problem with AM 8.1 SP1 P13 is that while the Web Logic Server embedded in AM supports TLS1_2, the openssl utility included in the Suse Linux distribution does not.  So if you use openssl to test or prove that the AM server works (and and prevents other protocols such as SSL v. 3 or TLS v. 1), you have to test from another platform, not from the AM server itself.
This Knowledge Base, KB article shows how to verify the TLS 1.2 configuration is working correctly, as well as shows some useful testing and troubleshooting techniques using the openssl utility.

Tasks

Find and use version 1.0.1 of openssl, which is not included in the Suse Linux distribution provided with AM 8.1 SP1 P13 and earlier.  

Resolution

openssl version    will display the version of your openssl distribution.  On an AM 8.1 SP1 P13 or earlier version of the SecurID appliance included ver. 0.98, which does not support TLS1_2
openssl v. 0.9
Many later versions of Red Hat or Ubuntu include a later version of openssl, v. 1.0.1, 
openssl_ver_101
you can force openssl s_client to request a specific protocol such as TLS v. 1.2 with the -tls1_2 switch.  In this example 192.168.2.30 is an AM 8.1 SP1 P13 SecurID appliance and :7004 is the Security Console and Self Service Console port
   openssl s_client -connect 192.168.2.30:7004 -tls1_2
openssl_ver_09_tls12_syntax_error
You will get a syntax error with openssl v. 0.98 because TLS1.2 is not supported, so the -tls1_2 switch is not supported unknown option.  But the same command with openssl version 1.0.1 or later works, the option is known and recognized.
openssl_ver_101_tls12
you will see the protocol listed lower in the display

Notes

Enabling TLS1_2 mode on AM 8.1 SP1 P13 and later servers requires that Windows Authentication Agents that require Auto-registration and offline data also be upgraded to Agent ver. 7.3 or later
---Some openssl syntax examples:--
openssl version
1.0.1 supports up to TLS ver. 1.2, 
openssl s_client -connect 192.168.2.30:7004
openssl s_client -connect 192.168.2.30:7004 -ssl3
openssl s_client -connect 192.168.2.30:7004 -tls1
openssl s_client -connect 192.168.2.30:7004 -tls1_1
openssl s_client -connect 192.168.2.30:7004 -tls1_2
openssl s_client -connect 192.168.2.30:7004 -showcerts

see also Sales Force KB 32627 How to export Authentication Manager 8.1 SP1 Web Tier Virtual Host Private Key to .PFX file

Attachments

    Outcomes