Enable Strict TLS 1.2 Mode
The Payment Card Information Data Security Standard (PCI DSS) recommends using the Transport Layer Security (TLS) 1.2 cryptographic protocol for secure network communications. By default, 8.2 or later deployments use TLS 1.2, however TLS 1.0 and TLS 1.1 are also supported. supports a strict TLS mode that only uses TLS 1.2 for communication within your deployment.
You can enable and disable the strict TLS 1.2 mode. To do so, perform the following procedure on the primary instance and each replica instance. Updating the primary instance automatically updates the web tier, but restarting the web tier is required for the changes to take effect.
Before you begin
Obtain the rsaadmin operating system password for the primary instance and each replica instance.
Secure shell (SSH) must be enabled on every appliance in your deployment. For instructions, see Enable Secure Shell on the Appliance.
Procedure
Log on to the appliance with the User ID rsaadmin and the current operating system password:
On a hardware appliance, an Amazon Web Services appliance, or an Azure appliance, log on to the appliance using an SSH client.
On a VMware virtual appliance, log on to the appliance using an SSH client or the VMware vSphere client.
On a Hyper-V virtual appliance, log on to the appliance using an SSH client , the Hyper-V Virtual Machine Manager Console, or the Hyper-V Manager.
Change directories to /opt/rsa/am/utils.
Run the command. To restart all of your RSA Authentication Manager services later, you must remove restart from the following commands:
To enable strict TLS 1.2 mode, type:
./rsautil store -a enable_min_protocol_tlsv1_2 true restart
To disable strict TLS 1.2 mode so that your deployment can support TLS 1.0 and TLS 1.1, type:
./rsautil store -a enable_min_protocol_tlsv1_2 false restart
(Optional) If you decided to manually restart all of your RSA Authentication Manager services, do the following:
Change directories to /opt/rsa/am/server.
Type:
./rsaserv restart all
Repeat the steps for each Authentication Manager instance in your deployment.
After you finish
Restart the web tier.
Note: For Authentication Manager 8.6 and all subsequent patches or upgrades, you should enable Strict TLS mode again after the upgrade by following the procedure outlined above.
Note: This article is applicable only for AM 8.7 SP2 Px and lower deployments.
Related Articles
"Enable Strict TLS 1.2 Mode" changes to disabled after installing the RSA Authentication Manager 8.6 patches Number of Views Limitations of strict TLS 1.2 mode in RSA Authentication Manager 8.x Number of Views windows eventing Access Denied Error 401 Number of Views Customizing Secure Communication Number of Views After installing patches to RSA Authentication Manager 8.6, the option to enable strict TLS 1.2 mode changes to disabled. Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
