Original Advisory published on 7/5/2016: https://community.rsa.com/docs/DOC-53382
RSA would like to remind customers utilizing the Software Token for iOS® and dynamic seed provisioning (CT-KIP) to prepare their entire RSA Authentication Manager CT-KIP provisioning infrastructure for iOS App Transport Security (ATS) by January 1, 2017.
Apple has announced that beginning January 1, 2017, all new and updated iOS apps submitted to the App Store must have ATS enabled by default. RSA customers utilizing the Software Token for iOS and provisioning tokens using CT-KIP are strongly advised to prepare their entire Authentication Manager CT-KIP provisioning infrastructure from end-to-end to be ATS compliant by that deadline. Any Software Token for iOS updates (bug fixes or feature enhancements) released by RSA in 2017 will have ATS enabled and RSA can no longer disable it. RSA will only make available and support the latest version of the iOS app on the Apple App Store. RSA does not make older versions of the app available for download.
The ATS feature requires network communication using Transport Layer Security (TLS) protocol version 1.2 or later with forward secrecy ciphers and certificates that are signed using a SHA-256 or later signature algorithm.
Note the following:
- RSA Authentication Manager 7.1 does not support the required TLS encryption version, and you must upgrade to the latest version of Authentication Manager.
- For RSA Authentication Manager 8.x, if the SSL console certificate that secures your CT-KIP connections does not use SHA-256 or better,then you must replace it. For instructions, see "Replacing the Console Certificate" in Chapter 7, "Administering RSA Authentication Manager" in the RSA Authentication Manager Administrator’s Guide.
- Your entire Authentication Manager CT-KIP provisioning infrastructure must be ATS compliant. Non-compliant network appliances, such as firewalls and load balancers, might prevent CT-KIP provisioning requests from reaching the RSA Authentication Manager CT-KIP server. These non-compliant appliances may require a simple SSL certificate replacement or more complicated firmware upgrades to achieve compliance. Please contact your appliance vendor for further assistance in ensuring that your appliances are ATS compliant.
For more information on ATS, go to https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html and see the "Requirements for Connecting Using ATS" section.
RSA Link: For product information, access to downloads, support and documentation, join RSA Link at support.rsa.com Each product has its own space that is your one stop for product support.
Note: In order to provide the best online support experience possible, we are moving all product support to RSA Link. To continue receiving product notifications, access to product downloads and documentation, please log into RSA Link with the same user name and password you use today for SecurCare Online (SCOL) and you will be added to RSA Link product advisories. ]
For additional documentation, downloads, and more, visit the [RSA SecurID] page on RSA Link.
RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.