|Applies To||RSA Product Set: Adaptive Authentication (OnPrem)|
RSA Product/Service Type: Back Office
RSA Version/Condition: 7.1 P6
Apache Tomcat: 6.0.53
MSSQL: 2008 R2
Windows: 2012 R2
|Issue||Customer had stopped using TLS v1 and v1.1, and was only using TLS v1.2. At that point, they were unable to go to and display the RSA Adaptive Authentication (On-Premise) Back Office web page with HTTPS. |
After turning on the option -Djavax.net.debug=SSL in the Tomcat Java Options tab, we were able to see the following in the Tomcat stdout log:
|Resolution||- Since this was Windows Server 2012, we checked and confirmed registry keys associated with TLS appear to be set correctly.|
Confirmed MSSQL version 10.50.6560.0 is greater than the minimum MSSQL version that supports TLS v1.2, which is 10.50.6542.0.
Confirmed Tomcat server.xml is specifying TLSv1.2 in the connector:
Confirmed the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files are in place.
Set the following in the Java Options tab under Tomcat:
Added a certificate to a Java keystore with the following command:
"%JAVA_HOME%\bin\keytool" -genkey -keyalg RSA -alias localhost -keystore "C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\tomcat_keystore.jks" -storepass changeit -validity 360 -keysize 2048
Once all of these were put in place, the customer was able to use HTTPS and display the Back Office web page (e.g. https://localhost:8443/backoffice) we were able to see the SSL handshake and data transmission take place with TLS v1.2.