000034384 - After Microsoft Windows update and/or GPO changes, administrative users cannot login to RSA Authentication Manager 8.1 Security Console with Internet Explorer

Document created by RSA Customer Support Employee on Dec 2, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000034384
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1, 8.0
Issue

After a recent Windows update or other Security Policy change, some users are unable to log in to the Authentication Manager Security Console.  These Administrators are seeing the following error:


This page can't be displayed
Turn on TLS 1.0, TLS 1.1 and TLS 1.2 in Advanced settings and try connecting to https://fully_qualified_domain_name_of_Authentication_Manager_primary>.com again.  If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the detail), which is not considered secure.  Please contact your site administrator.

 


IE turn on TLS
CauseEither a Windows update, such as MS16-101, or a Group Policy or Security Policy change has been made which prevents browsers such as Internet Explorer and Chrome from using or supporting older HTTP transport protocols, such as SSLv3, TLSv1 and TLS v1.1, so that only TLSv1.2 is allowed.  
  • Authentication Manager 8.0, 8.1 and 8.1 SP1 base only support browser console connections with SSL v3 and TLSv1.0.
  • Authentication Manager 8.1 SP 1 patch 3 or later supports TLSv1.2.
  • Authentication Manager 8.2 no longer supports the RC4 cipher as an algorithm used in any supported HTTP protocol, including TLSv1.2.
ResolutionOne quick solution would be to enable or allow TLS version 1.  To do so,
  1. Launch Internet Explorer.
  2. Navigate to Internet Options.  
  3. Click on the Advanced tab.  
  4. Check the following options
  • Use TLS 1.0,
  • Use TLS 1.1, and
  • Use TLS 1.2.  
  1. When done, click OK.
IE_Tools_InternetOptionsAdv_TLS
 

Note:
  • Both SSL v3 and TLS version 1 will work with Authentication Manager 8.0, 8.1 and Authentication Manager 8.1 SP1.  
  • If you need TLS 1.2, then you must at minimum upgrade to Authentication Manager 8.1 SP1 patch 13 
  • If you enable strict TLS, be sure to read the caveats in the Release Notes, as some CT-KIP applications may be affected.
NotesBasically there are at least three issues concerning SSL connection protocols and ciphers with the Authentication Manager product;
  1. How to use or enable TLSv1.2 protocol (Path 1 below)
  2. How not to use or avoid using the RC4 Cipher (Path 2 below)
  3. How to allow CT-KIP soft token delivery to iPhones and other Apple devices after January 1, 2017, when Apple allows only TLS1_2 communications from devices with SHA-256 signed certificates
The short answer is to enable TLSv1.2 as a protocol upgrade to Authentication Manager 8.1 SP1 patch 3 or later; but if you also need to avoid RC4 ciphers, then upgrade to Authentication Manager 8.2 or later.  If you must only use TLSv1_2 and not allow browsers to negotiate down to SSL3, TLS1.0 or TLS1.1, then you need to upgrade to at least Authentication Manager 8.1 SP1 patch 13 and enable strict TLS mode.
  1. Upgrade to Authentication Manager 8.1 SP1 patch 3 or later to use/enable TLSv1.2 protocol (Path 1 below)
  2. Upgrade to Authentication Manager 8.2 to avoid the RC4 cipher (Path 2 below)
  3. To enable CT-KIP-based software token delivery to iPhones and other Apple devices after January 1, 2017, you need TLSv1.2, and a server SSL identity certificate signed with a SHA-256 algorithm
    1. Enable/allow TLS1_2 communication, See Path 1, below.
    2. For a SHA-256 signed server certificate, do one of the following;
       
      1. Upgrade to Authentication Manager 8.2 and request a replacement console SSL certificate with SHA-256 signed certificates, or
      2. Upgrade to Authentication Manager 8.2 to regenerate the RSA self-signed console SSL certificate to one signed with SHA-256, or
      3. If you remain at Authentication Manager 8.1 SP1 patch 3 or higher, you can replace your RSA self-signed console SSL certificate, but inform the Certificate Authority (CA) to sign the CSR  request with the SHA-256 algorithm.
       

Path 1. Upgrade to at least Authentication Manager 8.1 SP1 patch 3 or later to gain support for TLSv1.2 in the WebLogic server that supports the console and other port access


  • Upgrading OpenSSL from 0.9.8 to 1.0.x either comes in Authentication Manager 8.2 or in the Third-Party Patch 2.0 (TPP), but do not try to install it directly into the underlying SUSE Linux operating system of the RSA appliance.
  • To disable or prevent SSLv3, TLSv1.0 and TLSv1.1 connections on the Authentication Manager servers and Web Tiers, you would need to upgrade to at least Authentication Manager 8.1 SP1 patch 13 then run the Strict TLS1.2 scripts.
    • Be aware that this will affect/break RADIUS in pre-Authentication Manager 8.2 (which still only uses SSLv3 internally to create associated agent hosts for RADIUS clients) and for CT-KIP software token deployments to iPhones.  See the release notes for all details.
    • Authentication Manager 8.1 SP1 strict TLS must be run separately on Web Tiers, but in Authentication Manager 8.2, Web Tiers are automatically converted to strict TLS after upgrading the primary and replicas to strict TLS, then updating the Web Tier's status in the Authentication Manager Operations Console.

Path 2. Preventing OpenSSL (instead of WebLogic) from including RC4 may not affect the WebLogic server


RSA is investigating this because many customers are complaining about this (although Engineering points out that there is no real problem with the way this cipher is used with Authentication Manager). Customers have gone so far as creating RFC 7465 Prohibiting RC4 Cipher Suites to strike the RC4 cipher from the list of allowed ciphers.  However, there are some workarounds.
  • See 000031570 How to disable RC4 cipher on the Authentication Manager 8.1 web tier, where you edit a backup copy of the <INSTALL DIR>\server\config\config.xml and change<ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite> to <ciphersuite>TLS_RSA_WITH_AES_256_CBC_SHA</ciphersuite> or to other supported non-RC4 cipher, then restart the Authentication Manager services.  Note that this workaround only lasts until you patch the Web Tier.
  • A similar approach could possibly be taken on the primary or replica servers.  KB 000031570 is either a variation on, or simply similar to 000028965 How to configure AES ciphers for the RSA Authentication Manager 8.1 Security Console.  The server part of this article is pretty much the same as 000031570 (that is, navigate to /opt/rsa/am/server/config/config.xml and change the RC4 cipher to something else).  At the time we tried TLS_RSA_WITH_AES_128_GCM_SHA256, the only problem was that the AES cipher was probably less secure than the RC4 cipher previously used, so we have not recommended this workaround since.
If you look at the config.xml file in Authentication Manager 8.2, there is no mention of RC4 ciphers.  The recommended course of action is to upgrade Authentication Manager servers to 8.2 to avoid RC4.

Attachments

    Outcomes