|Applies To||RSA Product Set: SecurID Access|
RSA Product/Service Type: Identity Router
RSA Version/Condition: 1.x
|Issue||When using more than one IDR, a load balancer must be configured to distribute portal requests to each IDR. If such a load balancer is configured in SSL Termination mode, it must be configured to use at least one cipher on its connections to RSA SecurID Access IDRs, that is also supported by the IDRs.|
|Tasks||Check the ciphers available on your brand, model and version of load balancer, and compare that to the set of ciphers available on the IDR's portal interface in the current release of RSA SecurID Access.|
|Resolution||Ensure the load balancer using SSL Termination is configured to connect to the IDR with one or more of the ciphers available on the RSA SecurID Access IDR's portal interface.|
If there is not at least one cipher that is available on both IDR and load balancer, then check with your load balancer vendor to find out if an upgrade or other change can be made to the load balancer to provide the required cipher support.
The ciphers supported by the IDR in RSA SecurID Access for incoming connection requests are documented in Supported Cipher Suites for the SSO Agent.
If the load balancer and IDR's portal interface have no common cipher between them, the SSL/TLS ClientHello sent by the load balancer to the IDR will receive an error 40 "handshake_failure" response. This error can be seen if you trace the connection with a third party protocol analyzer tool, such as Wireshark, placed on the LAN segment between the load balancer and an IDR.
RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2, section 7.2.2, states that "Reception of a handshake_failure alert message indicates that the sender was unable to negotiate an acceptable set of security parameters given the options available. This is a fatal error."
Older Citrix NetScaler devices may not support the ciphers used by the RSA SecurID Access v1.2 IDR portal interface. For example, NetScaler v10.5 61.11 or later is required. Contact Citrix to confirm cipher and version information for your device.