|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2
|Issue||The most recent Payment Card Information Data Security Standard (PCI DSS) recommends using the Transport Layer Security (TLS) 1.2 cryptographic protocol for secure network communications. RSA Authentication Manager supports a strict TLS mode that only uses TLS 1.2 for communication within your Authentication Manager deployment.|
By default, new RSA Authentication Manager 8.2 deployments use TLS 1.2. RSA Authentication Manager 8.1 Service Pack 1 (SP1) Patch 13 or later includes a TLS 1.2 Mode Update. If you applied the TLS 1.2 Mode Update to your SP1 deployment, then your upgraded version 8.2 deployment uses TLS 1.2. If you did not apply the TLS 1.2 Mode Update, then your upgraded version 8.2 deployment uses SSL 3.0, TLS 1.0, and TLS 1.1.
When Authentication Manager 8.2 uses strict TLS 1.2 mode, trusted realm authentication is only available with RSA Authentication Manager 8.1 Service Pack 1 (SP1) Patch 13 or later realms, in which you have applied the TLS 1.2 Mode Update. Disabling TLS 1.2 mode allows trusted realm authentication between Authentication Manager 8.2 and earlier versions of Authentication Manager that do not use TLS 1.2.
You can enable and disable the strict TLS 1.2 mode in Authentication Manager 8.2. To do so, perform the following procedure on the primary instance and each replica instance. Updating the primary instance automatically updates the web tier, but restarting the web tier is required for the changes to take effect.
|Tasks||This article addresses how to enable TLS 1.2 mode in RSA Authentication Manager 8.2 so that SSLv3, TLS 1.0 and TLS 1.1 are not allowed to be negotiated down.|
|Resolution||To enable or disable strict TLS 1.2, follow the steps below: |
|Notes||Refer to the article entitled What are the limitations of strict TLS 1.2 mode in RSA Authentication Manager 8.2? for more information.|