000032846 - How to verify TLS v.1.2 is configured correctly in RSA Authentication Manager 8.1 SP1 patch 13

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jul 14, 2020
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000032846
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP 1 patch 13
IssueSecure Sockets Layer (SSL) connections use a protocol such as SSL version 3 or TLS version 1, and they use a cipher, such as RC4.

RSA Authentication Manager products generally;
  •  No longer use the older SSL2.
  • Still allow SSL3, unless disabled with RSA Authentication Manager SP1 patch 13, the TLS patch.
  • Prefer or default to using TLS version 1 (aka TLS1) starting with RSA Authentication Manager 8.1 SP1 patch 2.
One immediate problem with RSA Authentication Manager 8.1 SP1 patch 13 is that while the WebLogic server embedded in RSA Authentication Manager supports TLS1_2, the openssl utility included in the SUSE Linux distribution does not. If you use openssl to test that the RSA Authentication Manager server works (and prevents other protocols such as SSL version 3 or TLS version 1), you have to test from another platform, not from the RSA Authentication Manager server itself.

This article shows how to verify that the TLS 1.2 configuration is working correctly, and shows some useful testing and troubleshooting techniques using the openssl utility.
TasksFind and use openssl 1.0.1, which is not in the SUSE Linux distribution that is provided with RSA Authentication Manager 8.1 SP1 patch 13 and earlier.  
Resolution
The openssl version will display the version of your openssl distribution.


  • On an RSA Authentication Manager 8.1 SP1 patch 13 or earlier version of the RSA SecurID appliance which included version 0.98, which does not support TLS1_2, you will see:



rsaadminam81p~> openssl version
OpenSSL 0.9.8j-fips 07 Jan 2009
rsaadminam81p~>



 


  • Many later versions of Red Hat or Ubuntu include a later version of openssl, such as 1.0.1:



[root@rh81wt !]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@rh81wt !]#



You can force openssl s_client to request a specific protocol such as TLS version 1.2 with the -tls1_2 switch. In this example, 192.168.2.30 is an RSA Authentication Manager 8.1 SP1 patch 13 appliance and :7004 is the port for the Security Console and Self-Service Console:


rsaadminam81p~>openssl s_client -connect 192.168.2.30:7004 -tls1_2
unknown option -tls1_2
usage: s_client args
-host host - use -connect instead
-port port - use -connect instead


You will see a syntax error with openssl version 0.98 because TLS1.2 is not supported, so the -tls1_2 switch is an unknown option. The same command with openssl version 1.0.1 or later works, the option is known and recognized.
 

[root@rh81wt !]# openssl s_client -connect 192.168.2.30:7004 -tls1_2
CONNECTED (00000003)
depth=1 CN = RSA root CA for am81p.vcloud.local, serialNumber-2660b7301e756f1418b6cb8fb3145ff0b32d296f0f21f901cfe65ae486701349
Verify error:num-19:self signed certificate in certificate chain
verify return:0
140401050306376:error:100AE081:elliptic curve routine:EC_GROUP_new by_curve_name:unknown group:ec_curve.c:316:
140401050306376:error:1408D010:SSL routines:SSL3_GET_KEY_EXCHNGE:EC lib:s3_clnt.c:1641:
---
certificate chain

Scroll down to see:


server public key is 2048 bit
Secure Renegotiation is supported
Compression: NONE
Expansion:   NONE
SSL-Session:
    Protocol  : TLSv1.2
NotesEnabling TLS1_2 mode on RSA Authentication Manager 8.1 SP1 patch 13 and later servers requires that RSA Authentication Agents for Windows that require autoregistration and offline data also be upgraded to RSA Authentication Agents for Windows 7.3 or later.

Some openssl syntax examples:

openssl version
1.0.1 supports up to TLS ver. 1.2, 
openssl s_client -connect 192.168.2.30:7004
openssl s_client -connect 192.168.2.30:7004 -ssl3
openssl s_client -connect 192.168.2.30:7004 -tls1
openssl s_client -connect 192.168.2.30:7004 -tls1_1
openssl s_client -connect 192.168.2.30:7004 -tls1_2
openssl s_client -connect 192.168.2.30:7004 -showcerts


See 000032627 - How to export RSA Authentication Manager 8.0 and 8.1 Web Tier Virtual Host Key Pair to a PFX file.

Attachments

    Outcomes