Original Advisory published on 7/5/2016: https://community.rsa.com/docs/DOC-53382
Second Advisory published on 8/31/2016: https://community.rsa.com/docs/DOC-58549
RSA would like to remind customers utilizing the Software Token for iOS® and dynamic seed provisioning (CT-KIP) to prepare their entire RSA Authentication Manager CT-KIP provisioning infrastructure for iOS App Transport Security (ATS) by January 1, 2017.
Apple has announced that beginning January 1, 2017, all new and updated iOS apps submitted to the App Store must have ATS enabled by default. RSA customers utilizing the Software Token for iOS and provisioning tokens using CT-KIP are strongly advised to prepare their entire Authentication Manager CT-KIP provisioning infrastructure from end-to-end to be ATS compliant by that deadline. Any Software Token for iOS updates (bug fixes or feature enhancements) released by RSA in 2017 will have ATS enabled and RSA can no longer disable it. RSA will only make available and support the latest version of the iOS app on the Apple App Store. RSA does not make older versions of the app available for download.
The ATS feature requires network communication using Transport Layer Security (TLS) protocol version 1.2 or later with forward secrecy ciphers and certificates that are signed using a SHA-256 or later signature algorithm. For more information on ATS, go to https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html and see the "Requirements for Connecting Using ATS" section.
Note the following:
- RSA Authentication Manager 7.1 does not support the required TLS encryption version, and you must upgrade to the latest version of Authentication Manager.
- RSA Authentication Manager 8.1 customers are required to install patch 12 or later as earlier versions do not support the required TLS encryption version.
- For RSA Authentication Manager 8.x, if the SSL console certificate that secures your CT-KIP connections does not use SHA-256 or better, then you must replace it. For instructions, see "Replacing the Console Certificate" in Chapter 7, "Administering RSA Authentication Manager" in the RSA Authentication Manager Administrator’s Guide. The Administrator's Guide and specific section referenced can be found at the following locations:
- Your entire Authentication Manager CT-KIP provisioning infrastructure must be ATS compliant. Non-compliant network appliances, such as firewalls and load balancers, might prevent CT-KIP provisioning requests from reaching the RSA Authentication Manager CT-KIP server. These non-compliant appliances may require a simple SSL certificate replacement or more complicated firmware upgrades to achieve compliance. Please contact your appliance vendor for further assistance in ensuring that your appliances are ATS compliant.
You may also use free online SSL server tests such as https://www.ssllabs.com/ssltest/index.html to test your end-point server and see where it stands as compared to the requirements set by Apple.
RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.