Customizing TLS Protocol Version
a month ago

Customizing TLS Protocol Version

TLS 1.3 as the Minimum Protocol Version

Starting from version 8.8, RSA Authentication Manager (AM) supports TLS 1.3 for secure network communication. Administrators can configure TLS 1.3 as the minimum TLS version for communication with peer systems. To ensure successful communication, the peer systems should also support TLS 1.3; otherwise, the communication will fail. Once you configure TLS 1.3 as the minimum version, AM will use only TLS 1.3 for network communication.

You can enable TLS 1.3 as the minimum version for:

  • Inbound traffic only: Refers to all incoming communication from consoles, REST authentication, admin SDK, and so on.

  • Outbound traffic only: Refers to all communication that goes out of the AM appliance. For example, cross-trust, LDAP, SMS, and SMTPS.

  • Both inbound and outbound traffic

Deprecated Components

The following deprecated agents do not support TLS 1.3. These agents will continue to use TLS 1.2 for secure communication and the procedure to enable TLS 1.3 as the minimum version will not affect them.

  • RSA Authentication Agent 7.4.x for Microsoft Windows

  • RSA Authentication Agent 8.0.x for Web for IIS

  • Custom Agent built using RSA Authentication Agent API 8.x for Java and C

Caution: Do not enable TLS 1.3 as the minimum version if:

  • Your deployment is a J2C hybrid deployment.

  • Your AM deployments have a cross-trust relationship with AM 8.7.x deployments.

Enable Strict TLS 1.3 as the Minimum Version

Configuring TLS 1.3 as the minimum TLS protocol version on the primary instance will automatically update replicas and web tier. However, you must restart all AM services on each instance and Web tier for the changes to take effect.

Before you begin

Before enabling TLS 1.3 as the minimum version, ensure the following:

  • Obtain the rsaadmin operating system password for the primary instance and each replica instance.

  • Secure shell (SSH) must be enabled on every appliance in your deployment. For instructions, see Enable Secure Shell on the Appliance.

  • Obtain the super admin credential.

  • Ensure that the primary and replica instances are in a healthy state and replication is working.

  • If web tier is part of the deployment, ensure that the web tier's status is online in the primary instance.

Procedure 

  1. Log on to the primary instance appliance using an SSH client. For details, see Log On to the Appliance Operating System with SSH.

  2. Change the directories to /opt/rsa/am/utils.

  3. To set TLS 1.3 as minimum SSL protocol, run one of the following commands. When prompted, enter the super admin credentials for the Security Console.

    1. For inbound traffic only, type:

      rsautil manage-ssl-configuration --set-min-tls-protocol TLSv1.3 inbound

    2. For outbound traffic only, type:

      rsautil manage-ssl-configuration --set-min-tls-protocol TLSv1.3 outbound

    3. For both inbound and outbound traffic, type:

      rsautil manage-ssl-configuration --set-min-tls-protocol TLSv1.3 both

    4. To revert to TLS 1.2 as the minimum version, replace TLSv1.3 with TLSv1.2. For example, to set the TLSv1.2 as the minimum SSL protocols for both inbound and outbound traffic, type:

      rsautil manage-ssl-configuration --set-min-tls-protocol TLSv1.2 both

  4. Restart all the RSA Authentication Manager services as follows and repeat this step for each replica in your deployment:

    1. Change the directories to /opt/rsa/am/server.

    2. Run the command ./rsaserv restart all.

  5. Repeat step 4 for each of the replica instances in your deployment.

  6. Restart RSA Webtier Bootstrapper Server services for each of the Authentication Manager Web Tier instances in your deployment.

Note:   Configuration data is saved in the backup files and will be restored if you restore the AM instance backup.

Optional: To view the configured minimum TLS protocol version in your AM deployment, run the following command. When prompted, enter your password.

rsautil manage-ssl-configuration --view-min-tls-protocol -u <sc_admin_username>

Freeradius Services

Procedure 

  1. Log on to the Operations Console on the Authentication Manager primary instance.

  2. Click Deployment Configuration > RADIUS Servers.

  3. If prompted, enter the super admin User ID and password, and click OK.

  4. Select the RADIUS server that you want to update, and select Manage Server Files from the context menu.

  5. On the Manage Server Files page, select the eap file, and select Edit from the context menu.

  6. In the text field, search fortls_min_version and change the value to 1.3.

  7. Click Save and restart the RADIUS Server for the changes to take effect.

  8. Repeat steps 4 to 7 for all the RADIUS servers.

Note:  Configuration data is saved in the backup files and will be restored if you restore the AM instance backup.

Revert to TLS 1.2: To revert to TLS 1.2 as the minimum version, repeat the steps mentioned in the above procedure but change the value of tls_min_version to 1.2 in step 6.

 

PGSQL Services

Procedure 

  1. Log on to the primary instance appliance with the User ID rsaadmin and the current operating system password.

  2. Change the directories to /opt/rsa/am/rsapgdata.

  3. Edit the file /opt/rsa/am/rsapgdata/postgresql.conf.

  4. Add the following entry at the end of the file.

    ssl_min_protocol_version = 'TLSv1.3'

  5. Restart the RSA Database Server service.

Note:  Configuration data is saved in the backup files and will be restored if you restore the AM instance backup.

Revert to TLS 1.2:To revert to TLS 1.2 as the minimum version, repeat the steps mentioned in the above procedure but remove the ssl_min_protocol_version configuration mentioned in step 5 instead of adding it.

 

Remote Syslog Service

The below procedure is applicable if AM has been configured for remote syslog service. For more information on remote syslog configuration, see Configure the Remote Syslog Host for Real Time Log Monitoring.

Procedure 

  1. Log on to each Authentication Manager instance appliance with the User ID rsaadmin and the current operating system password.

  2. Switch to the root user, and edit /etc/rsyslog.d/remote.conf.

  3. Update gnutlsprioritystring as mentioned below.

    gnutlsprioritystring="NORMAL:+VERS-TLS1.3:-VERS-TLS1.2"

  4. Restart the remote syslog service, run service rsyslog restart.

  5. To check the status of remote syslog service, run service rsyslog status.

    Note:  Syslog configuration data is not saved in the backup files. If you restore the AM instance, you must reconfigure the remote syslog.

    Revert to TLS 1.2:To revert to TLS 1.2 as the minimum version, repeat the steps mentioned in the above procedure with gnutlsprioritystring as mentioned below.

    gnutlsprioritystring="NORMAL:+VERS-TLS1.3"

 

 

 

Don't see what you're looking for?