000029583 - RSA SecurID Authentication Manager TLSv1 restrictions not fully removed during Patch 36 rollback

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029583
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 7.1 SP4
Platform: all supported
Platform (Other): SP4 P36
O/S Version: all supported
 
IssueSSL connections for HTTPS to AM v7.1 SP4  are rejected even after Patch 36 is rolled back, unless TLSv1 is used.  Only TLSv1 connections are accepted.  SSLv3 and earlier SSL versions are rejected.
This issue affects connections from browser-based clients and from AM 7.1 Administration SDK clients.
The connection will be rejected with a browser- or client-specific error indicating that the ProtocolVersion field in the SSL CipherSpec is rejected. For example, a Java client may report a javax.net.ssl.SSLException on "protocol_version".
 
CauseThe fix for defect AM-28570 includes changes to several configuration files for RSA Authentication Manager.  These changes restrict several HTTPS ports that are used for browser access and the Administration SDK, to TLSv1 only.  



After Patch 36 was installed, those files may have also been changed for legitimate, external reasons that are unrelated to Patch 36.  Consequently the automated rollback for Patch 36 deliberately does not restore the previous versions of those configuration files.  This is to avoid losing any other changes that may have been made to them.  The changes made by Patch 36 to those files must be manually reverted if you wish to fully rollback Patch 36 by allowing previously supported SSL versions to be used again.



The need to do manual changes to restore SSL usage is not mentioned in the RSA Authentication Manager 7.1 SP4 Patch 36 Readme document.
Resolution

Overview


The P36 update altered the command lines and configuration for several AM services. The option: “-Dweblogic.security.SSL.protocolVersion=SSL3” was removed from the command line (if present - not all services and systems would have had this option) and the option: “-Dweblogic.security.SSL.protocolVersion=TLS1” was added. Also, for a couple services, the order of cipher suites in an XML configuration file was modified to place the RC4 cipher at the top of the list (if it was not there already).


To rollback/uninstall P36 we will manually revert these changes using information in file backup copies to:


  • Change the option: “-Dweblogic.security.SSL.protocolVersion=TLS1” back to the value of the option used previously in the service (or remove it if there was no option). On Windows platforms, this option will also need to be modified in a couple registry keys.
  • Revert the order of the ciphers in a couple configuration files to the order used previously in the service.

The goal is to return the command lines specified in these files to the state used by the AM services before the patch.


Warnings


  • Be careful when editing the files (or the registry). Avoid adding stray characters or changing other areas of the files. Use a plain text editor which will not alter the format of the files or introduce unexpected characters. Errors in the files may prevent the services from restarting properly.
  • All AM services and database services must be stopped.
  • If the patch is rolled back on one primary or replica system it should rolled back on all. Systems and services with AM 7.1.4 patch P36 may not be compatible with systems and services without patch P36 (since a service requiring TLSv1 is not compatible with a service requiring SSLv3).
  • Be sure to save the file changes and exit the editor when done.
  • The modified file should have the same permissions, owner and group as the original file.


Steps


1) Login as the RSA AM administrator
On the appliance you must first login as “emcsrv” and then use the command: sudo su rsaadmin


2) Rolback the patch using the typical method.


3) Shutdown all AM and database services.


4) Go to: RSA_AM_HOME/server/config
and edit the file: “config.xml”.


  • Compare the file: “config.xml” with the backup file: “config.xml.bak.p36” to identify whether the option: “-Dweblogic.security.SSL.protocolVersion” was used in the <arguments> element of the old backup file and if so what its value was. Note that there may be up to three <argument> elements in the file. Determine the value used in the old backup version of the file and update the “-Dweblogic.security.SSL.protocolVersion” command option in the corresponding <arguments> element of config.xml to match the values in the backup file. Or remove the option completely if it is not specified in the backup file’s corresponding <arguments> element.

5) WINDOWS ONLY - Go to: RSA_AM_HOME/appserver/weblogic/common/nodemanager/
and edit the file: “nodemanager.conf”


  • Compare the file: “nodemanager.conf” with the backup file: “nodemanager.conf.bak.p36”. There may be a line such as:
    wrapper.java.additional.14=-Dweblogic.security.SSL.protocolVersion=SSL3
    deleted from the old nodemanager.conf file (and a similar line added but with a different value). Remove the new line from “nodemanager.conf” and If the old backup copy of the file contained a line which was replaced, put it back in to the file.

6) LINUX AND UNIX ONLY - Go to: RSA_AM_HOME/server
and edit the file: “rsaam”.


  • Compare “rsaam” to the file “rsaam.bak.p36” and look for lines which add or modify the value: “-Dweblogic.security.SSL.protocolVersion=TLS1”. Remove the added line. Replace with the values used in the old backup copy (if there are any).

7) Go to: RSA_AM_HOME/server/servers/AdminServer/data/nodemanager/
and edit the file: “startup.properties”


  • Compare the file: “startup.properties” with the backup file: “startup.properties.bak.p36”. Look for the addition or modification of the : “-Dweblogic.security.SSL.protocolVersion” option and remove the new option value and replace with the old value.

8) Make sure that you have saved the changes and exited from any editor or viewing tools which have the files opened. Make sure that all of the edited files have the correct owner, group and permissions.


9) WINDOWS ONLY - Open the registry editor
and edit the two keys:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RADIUS_OC\Parameters
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RSAAM_OC\Parameters


  • For each, edit the CmdLine value by first locating the string: “-Dweblogic.security.SSL.protocolVersion=TLS1” or “-Dweblogic.security.SSL.protocolVersion=ALL”. This string is located near the middle of the CmdLine value. Carefully modify the value of this option replacing the option value "TLS1" or "ALL" with the value "SSL3" for both.

10) Restart DB and AM services.

Attachments

    Outcomes