|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 Service Pack 1 patch 13
|Issue||Secure Sockets Layer (SSL) connections use a protocol such as SSL ver. 3 or TLS ver. 1, and they use a cipher, such as RC4.|
RSA Authentication Manager products generally;
This article shows how to verify the TLS 1.2 configuration is working correctly, as well as shows some useful testing and troubleshooting techniques using the openssl utility.
|Tasks||Find and use version 1.0.1 of openssl, which is not included in the SUSE Linux distribution provided with Authentication Manager 8.1 SP1 P13 and earlier. |
The openssl version will display the version of your openssl distribution. On an Authentication Manager 8.1 SP1 P13 or earlier version of the SecurID appliance included ver. 0.98, which does not support TLS1_2:
Many later versions of Red Hat or Ubuntu include a later version of openssl, v. 1.0.1,
You can force openssl s_client to request a specific protocol such as TLS v. 1.2 with the -tls1_2 switch. In this example 192.168.2.30 is an Authentication Manager 8.1 SP1 P13 SecurID appliance and :7004 is the Security Console and Self Service Console port
You will get a syntax error with openssl v. 0.98 because TLS1.2 is not supported, so the -tls1_2 switch is a not supported unknown option. But the same command with openssl version 1.0.1 or later works, the option is known and recognized.
You will see the protocol listed lower in the display.
|Notes||Enabling TLS1_2 mode on Authentication Manager 8.1 SP1 P13 and later servers requires that RSA Authentication Agents for Windows that require auto-registration and offline data also be upgraded to agent 7.3 or later|
Some openssl syntax examples:
See also 000032627 - How to export RSA Authentication Manager 8.0 and 8.1 Web Tier Virtual Host Key Pair to a PFX file.