000033042 - How to configure SSL Termination for load balancing RSA SecurID Access IDRs

Document created by RSA Customer Support Employee on Jun 6, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000033042
Applies ToRSA Product Set: SecurID Access
RSA Product/Service Type: Identity Router
RSA Version/Condition: 1.x
IssueWhen using more than one IDR, a load balancer must be configured to distribute portal requests to each IDR.  If such a load balancer is configured in SSL Termination mode, it must be configured to use at least one cipher on its connections to RSA SecurID Access IDRs, that is also supported by the IDRs.
TasksCheck the ciphers available on your brand, model and version of load balancer, and compare that to the set of ciphers available on the IDR's portal interface in the current release of RSA SecurID Access.  
ResolutionEnsure the load balancer using SSL Termination is configured to connect to the IDR with one or more of the ciphers available on the RSA SecurID Access IDR's portal interface.
If there is not at least one cipher that is available on both IDR and load balancer, then check with your load balancer vendor to find out if an upgrade or other change can be made to the load balancer to provide the required cipher support.
The ciphers supported by the IDR in RSA SecurID Access for incoming connection requests are documented in Supported Cipher Suites for the SSO Agent.
If the load balancer and IDR's portal interface have no common cipher between them, the SSL/TLS ClientHello sent by the load balancer to the IDR will receive an error 40 "handshake_failure" response.  This error can be seen if you trace the connection with a third party protocol analyzer tool, such as Wireshark, placed on the LAN segment between the load balancer and an IDR.

RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2, section 7.2.2, states that "Reception of a handshake_failure alert message indicates that the sender was unable to negotiate an acceptable set of security parameters given the options available.  This is a fatal error."
From the end user perspective, a login request to the RSA SecurID Access Portal will fail if there is no matching cipher.  Depending on how the load balancer handles this scenario, the end user's browser may hang with a spinning disk icon.

Citrix NetScaler

Older Citrix NetScaler devices may not support the ciphers used by the RSA SecurID Access v1.2 IDR portal interface.  For example, NetScaler v10.5 61.11 or later is required.  Contact Citrix to confirm cipher and version information for your device.
NotesAdditional references: