000030177 - Applying 7.1 SP4 patch 36 breaks Operations Console second login.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030177
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 7.1 SP4
Platform (Other): Patch 36
Windows Server
IssueAfter applying patch 36 for 7.1 SP4 breaks the second login for operations console. This is mostly used for task such as identity source management, replica management, radius management etc. Customer will get "Unable to verify credentials, and /or process this request at this time" even though they are entering correct security console admin and password. 
You will see following error in ops-console.log under <RSAHOME>\imsoc\logs folder

javax.net.ssl.SSLHandshakeException: [Security:090488]PROTOCOL_VERSION alert received from hostname.domain.local - XX.XX.XX.XX Check that the peer supports the same level of the SSL/TLS protocol being used (SSL V3.0 and TLS V1.0); No available router to destination]
Customer's issue: I can navigate to certain options, being radius / migration tool, I then launch 2nd authentication to security console, tells me I need a super admin, I enter default admin that was set-up at the start (generic super admin generated at initial install) Error Message: "Unable to verify credentials, and /or process this request at this time" I know the admin credentials are good as when I login directly to the security console they work. I built a test environment and initially this worked but now having the same issue.
Cause1.The above error may also occur if you enter wrong credentials. Be absolutely sure that you are entering security console administrator username and password from internal database. 
2. Check ops-console.log under <RSAHOME>\imsoc\logs folder. If you see the following error, you can proceed with this knowledge base article.
javax.net.ssl.SSLHandshakeException: [Security:090488]PROTOCOL_VERSION alert received from hostname.domain.local - XX.XX.XX.XX Check that the peer supports the same level of the SSL/TLS protocol being used (SSL V3.0 and TLS V1.0); No available router to destination]
Installing the patch 36 changes the SSL communication in Authentication Manager from SSLV3 to TLS1. While installing patch 36, some of the component's communications may not be upgraded properly.[In this case, Operations console.] For the second login, operations console tries to communicate to database via 7002 port. The error above states that end point [port 7002] and initiating point[OC] is using different lever of SSL/TLS protocol. In my case, registry value for OC was SSL3 which should have been upgraded to TLS1.
Note: Reverting back the patches will not fix this issue.
ResolutionCheck the following files:
  1. <RSA_INSTALL_DIR>\appserver\weblogic\common\nodemanager\nodemanager.conf

      Example: Notice below line in nodemanager.conf file.


      #wrapper.java.additional.13 is reserved because it is used as a parameter in registry. For example, check key - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RSAAM and the other related keys.
wrapper.java.additional.14=-Dweblogic.security.SSL.protocolVersion=SSL3
Replace the value SSL3 with TLS1 in above line. Similarly, replace SSL3 with TLS1 in below configuration files.


  1. <RSA_INSTALL_DIR>\server\config\config.xml
  2. <RSA_INSTALL_DIR>\imsoc\config\config.xml
  3. Registry entry for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSAAM_OC\Parameters ßentry of this.
  4. <RSA_INSTALL_DIR>rsaam
  5. <RSA_INSTALL_DIR>\server\servers\AdminServer\data\nodemanager\startup.properties
Make sure SSL protocol version is changed to TLS1 in all the config files. you should see arguments -Dweblogic.security.SSL.protocolVersion=TLS1 in the config files and startup.properties file. In my case, all of them were changed to TLS1. Prior to patch 36, you should see SSL3 instead of TLS1.
Now check the registry key for No. 4:
You should see CmdLine entry under Parameters. Properly investigate the data for this value. 
You should see the argument -Dweblogic.security.SSL.protocolVersion=SSL3. Change it to TLS1. 
Save the registry and reboot the server. You should be able to login to secondary authentication in operations console thereafter. 
 

Attachments

    Outcomes