000034885 - How to understand SSL protocols and ciphers in Authentication Manager 8.x

Document created by RSA Customer Support Employee on Feb 28, 2017Last modified by RSA Customer Support Employee on Apr 14, 2017
Version 3Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000034885
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.1
IssueAuthentication Manager supports various SSL protocols such as TLS versions 1.1, 1.0, and 1.2, aka TLS1_0, TLS1_1 and TLS1_2 depending on the specific version of Authentication Manager, but also supports limiting or blocking some of these protocols, especially the older ones.  In Authentication Manager 8.2 RSA  also stopped support for ciphers that use RC4 algorithms.  

Customers are trying to figure out if they need to enforce strict TLS1_2 mode in order to gain support for TLSv1.2, in Authentication Manager, the Self-Service Console, on the Web Tiers, as well as with integrations with API tools like Authentication Manager Prime and Authentication Manager Integration Service (AMIS).  This would also affect SecurID software token distributions to Apple iOS devices since the new App Transport Security (ATS) feature was released in January 2017 that requires SSL connections, such as CT-KIP, to use only TLSv1.2 with SHA2 signed certificates.

Tasks

Upgrade information


  • If you need support for TLS version 1.2 SSL protocol, then upgrade to at least Authentication Manager 8.1 SP1 P3.
  • If you need to prevent SSL protocols that a less than TLSv1.2, you need to patch at least to Authentication Manager 8.1 SP1 P13 and run the strict TLS1_2 enable script.
  • If you need to prevent the use of RC4 ciphers, upgrade to at least Authentication Manager 8.2.
  • When you have Apple iOS devices that use CT-KIP and App Transport Security has been implemented, you DO NOT need strict TLS.  You only need support for TLS (and SHA2 signed certificates).  See this blog post by Jeffrey Carpenter, RSA Product Marketing Manager, entitled ATTN: RSA SecurID Customers..Apple iOS ATS Issue and What to Do About It.
 

Enabling strict TLS


You enable strict TLS when your security scan flags insecure SSL protocols and your policy dictates they must be eliminated. Beware that there are implications when you do this.  For example, older Windows clients that do not support TLSv1.2 will not work, and this could affect RSA RADIUS in Authentication Manager 8.1 SP1.  If your scan flags insecure RC4 ciphers then plan your upgrade to Authentication Manager 8.2 to address that.
 

Viewing available ciphersuites


You can see RSA ciphersuites in the opt/rsa/am/server/config/config.xml, which has a section for various servers and the biztier server which control the RSA consoles.
If you look at this server's <ssl> section, you can see a list of ciphersuites.  Older Authentication Manager 8.0 or 8.1 servers will list ciphersuites such as TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_AES_256_GCM_SHA256.
Newer Authentication Manager 8.2 servers will exclude all RC4 ciphers, and show ciphersuites such as TLS_ECDHE_WITH_AES_256_GCM_SHA384 and even TLS_RSA_WITH_AES_256_GCM_SHA256 for older browsers/clients, but not RC4, as shown:
<ssl>
<name>biztier</name>
<enabled>true</enabled>
<ciphersuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
<ciphersuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</ciphersuite>
<ciphersuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_GCM_SHA256</ciphersuite>
<ciphersuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_GCM_SHA384</ciphersuite>
<ciphersuite>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</ciphersuite>

 

Authentication Manager version


You can check your version of Authentication Manager two ways:
  1. On the Security Console Home tab, click Software Version Information and look at the version listed.
  2. In the Operations Console select Maintenance > Update and Rollback.  The current version is listed towards the top of the page.


Use OpenSSL to verify presence of cipher or protocol


You can also use openssl to verify if a cipher or protocol is present.  Use one of the following commands:
openssl s_client -connect 192.168.2.30:7004 -ssl3

or

openssl s_client -connect 192.168.2.30:7004 -cipher RC4-SHA
ResolutionSecure Sockets Layer (SSL) is a protocol developed by Netscape for transmitting private documents via the Internet.  It is based in part on asymmetric keys and the Public Key Infrastructure, PKI so that more efficient symmetric keys can securely be exchanged.
In general, and as you would expect, older protocols such as SSLv2 and SSLv3, are considered less secure or insecure.  Newer protocols, such as TLSv1.2 are considered more secure.

There are two issues here:


  1. When or in what Authentication Manager version is a protocol supported or available
  2. When and how can older protocols be prevented
SSL Versions in AM
NotesSome errors related to mismatch between SSL client and SSL server as to protocols or ciphers include the following:
ERR_SSL_PROTOCOL_ERROR
socket: Connection refused
connect:errno=111
This page can't be displayed
it is possible this site uses an unsupported protocol or cipher suite such as RC4
SSLv3 Record Layer: Alert (Level: Fatal, Description: Illegal Parameter)

 
SSL Errors

See also:


Attachments

    Outcomes