Enable Strict TLS Mode

Document created by RSA Information Design and Development on Feb 12, 2018
Version 1Show Document
  • View in full screen mode

The most recent Payment Card Information Data Security Standard (PCI DSS) recommends using the Transport Layer Security (TLS) 1.2 cryptographic protocol for secure network communications. By default, new RSA Authentication Manager 8.2 or later deployments use TLS 1.2, but SSL 3.0, TLS 1.0, and TLS 1.1 are supported. Authentication Manager supports a strict TLS mode that only uses TLS 1.2 for communication within your Authentication Manager deployment.

You can enable and disable the strict TLS 1.2 mode. To do so, perform the following procedure on the primary instance and each replica instance. Updating the primary instance automatically updates the web tier, but restarting the web tier is required for the changes to take effect.

Before you begin 

  • Obtain the rsaadmin operating system password for the primary instance and each replica instance.
  • Secure shell (SSH) must be enabled on every appliance in your deployment. For instructions, see Enable Secure Shell on the Appliance.

Procedure 

  1. Log on to the appliance with the User ID rsaadmin and the current operating system password:
    • On a hardware appliance or an Amazon Web Services appliance, log on to the appliance using an SSH client.
    • On a VMware virtual appliance, log on to the appliance using an SSH client or the VMware vSphere client.
    • On a Hyper-V virtual appliance, log on to the appliance using an SSH client , the Hyper-V Virtual Machine Manager Console, or the Hyper-V Manager.
  2. Change directories to /opt/rsa/am/utils.
  3. Run the command. To restart all of your RSA Authentication Manager services later, you must remove restart from the following commands:

    To enable strict TLS 1.2 mode, type:

    ./rsautil store -a enable_min_protocol_tlsv1_2 true restart

    To disable strict TLS 1.2 mode so that your deployment can support SSL 3.0, TLS 1.0, and TLS 1.1, type:

    ./rsautil store -a enable_min_protocol_tlsv1_2 false restart

  4. (Optional) If you decided to manually restart all of your RSA Authentication Manager services, do the following:
    1. Change directories to /opt/rsa/am/server.
    2. Type:

      ./rsaserv restart all

  5. Repeat the steps for each Authentication Manager instance in your deployment.

After you finish 

Restart the web tier.

 

 


Attachments

    Outcomes