|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 7.1 SP4
Platform: all supported
Platform (Other): SP4 P36
O/S Version: all supported
|Issue||SSL connections for HTTPS to AM v7.1 SP4 are rejected even after Patch 36 is rolled back, unless TLSv1 is used. Only TLSv1 connections are accepted. SSLv3 and earlier SSL versions are rejected.|
This issue affects connections from browser-based clients and from AM 7.1 Administration SDK clients.
The connection will be rejected with a browser- or client-specific error indicating that the ProtocolVersion field in the SSL CipherSpec is rejected. For example, a Java client may report a javax.net.ssl.SSLException on "protocol_version".
|Cause||The fix for defect AM-28570 includes changes to several configuration files for RSA Authentication Manager. These changes restrict several HTTPS ports that are used for browser access and the Administration SDK, to TLSv1 only. |
After Patch 36 was installed, those files may have also been changed for legitimate, external reasons that are unrelated to Patch 36. Consequently the automated rollback for Patch 36 deliberately does not restore the previous versions of those configuration files. This is to avoid losing any other changes that may have been made to them. The changes made by Patch 36 to those files must be manually reverted if you wish to fully rollback Patch 36 by allowing previously supported SSL versions to be used again.
The need to do manual changes to restore SSL usage is not mentioned in the RSA Authentication Manager 7.1 SP4 Patch 36 Readme document.
The P36 update altered the command lines and configuration for several AM services. The option: “-Dweblogic.security.SSL.protocolVersion=SSL3” was removed from the command line (if present - not all services and systems would have had this option) and the option: “-Dweblogic.security.SSL.protocolVersion=TLS1” was added. Also, for a couple services, the order of cipher suites in an XML configuration file was modified to place the RC4 cipher at the top of the list (if it was not there already).
To rollback/uninstall P36 we will manually revert these changes using information in file backup copies to:
The goal is to return the command lines specified in these files to the state used by the AM services before the patch.
1) Login as the RSA AM administrator
2) Rolback the patch using the typical method.
3) Shutdown all AM and database services.
4) Go to: RSA_AM_HOME/server/config
5) WINDOWS ONLY - Go to: RSA_AM_HOME/appserver/weblogic/common/nodemanager/
6) LINUX AND UNIX ONLY - Go to: RSA_AM_HOME/server
7) Go to: RSA_AM_HOME/server/servers/AdminServer/data/nodemanager/
8) Make sure that you have saved the changes and exited from any editor or viewing tools which have the files opened. Make sure that all of the edited files have the correct owner, group and permissions.
9) WINDOWS ONLY - Open the registry editor
10) Restart DB and AM services.