How to close ports used by the RSA Authentication Agent to block SSLv3 communication to RSA Authentication Manager 8.x
Originally Published: 2016-08-20
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1 P13 or later
Issue
Port 5550/TCP: Used for communication with authentication agents that are attempting to register with Authentication Manager.
Port 5580/TCP: Used to receive requests for additional offline authentication data, and send the offline data to agents. Also used to update server lists on agents.
Some vulnerability scanners report that these ports are susceptible to SSLv3 vulnerabilities.
To pass compliance audits, customers have been required to close those ports.
Resolution
- Log on to the Authentication Manager primary using SSH client or direct connection.
- Change to the root user with sudo.
- Enter the following commands:
sudo su root /opt/rsa/am/utils/bin/appliance/configureFirewall.sh close rsaserv-aps inet,tcp,5580 inet,tcp,5550 /opt/rsa/am/utils/bin/appliance/configureFirewall.sh open rsaserv-aps inet,tcp,5580 inet,tcp,5550
- Repeat steps 1 - 3 for each RSA Authentication Manager server in your deployment.
C:\OpenSSL-Win64\bin>openssl.exe s_client -connect <IP Address>:5500 -ssl3 connect: No such file or directory connect:errno=0 C:\OpenSSL-Win64\bin>openssl.exe s_client -connect <IP Address>:5580 -ssl3 connect: No such file or directory connect:errno=0If they are open then they return the server certificate information.
C:\OpenSSL-Win64\bin>openssl.exe s_client -connect <IP Address>:5580 -ssl3
CONNECTED(000000E8)
6872:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:362:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1471661883
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Warning: Do not close the ports if these features are essential to your deployment.
Related Articles
RSA Governance & Lifecycle Recipes: Dashboard - Deployment Overview - Part 2 Number of Views Weak Certificate Signature Hashing Algorithm on TCP ports 5550 & 5580, CVE-2004-2761, CVE-2005-4900 Number of Views Intel-SA-00233: Impact on RSA Products Number of Views Web Services updateReviewItems cannot update multiple accounts belonging to the same business source having the same entit… Number of Views How to open TCP/IP ports in RSA Identity Governance & Lifecycle Number of Views
Trending Articles
Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Announces Critical Security Updates for RSA ID Plus Components - RSA Authentication Manager and RSA Identity Router RSA MFA Agent 9.0 for PAM - Installation and Configuration Guide for Oracle Linux RHEL Ubuntu CentOS and Rocky Linux Explanation of successful authentication followed by passcode reuse and bad tokencode messages in RSA Authentication Manag… Quick Setup Guide - FIDO
Don't see what you're looking for?
