How to close ports used by the RSA Authentication Agent to block SSLv3 communication to RSA Authentication Manager 8.x
Originally Published: 2016-08-20
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1 P13 or later
Issue
Port 5550/TCP: Used for communication with authentication agents that are attempting to register with Authentication Manager.
Port 5580/TCP: Used to receive requests for additional offline authentication data, and send the offline data to agents. Also used to update server lists on agents.
Some vulnerability scanners report that these ports are susceptible to SSLv3 vulnerabilities.
To pass compliance audits, customers have been required to close those ports.
Resolution
- Log on to the Authentication Manager primary using SSH client or direct connection.
- Change to the root user with sudo.
- Enter the following commands:
sudo su root /opt/rsa/am/utils/bin/appliance/configureFirewall.sh close rsaserv-aps inet,tcp,5580 inet,tcp,5550 /opt/rsa/am/utils/bin/appliance/configureFirewall.sh open rsaserv-aps inet,tcp,5580 inet,tcp,5550
- Repeat steps 1 - 3 for each RSA Authentication Manager server in your deployment.
C:\OpenSSL-Win64\bin>openssl.exe s_client -connect <IP Address>:5500 -ssl3 connect: No such file or directory connect:errno=0 C:\OpenSSL-Win64\bin>openssl.exe s_client -connect <IP Address>:5580 -ssl3 connect: No such file or directory connect:errno=0If they are open then they return the server certificate information.
C:\OpenSSL-Win64\bin>openssl.exe s_client -connect <IP Address>:5580 -ssl3
CONNECTED(000000E8)
6872:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:362:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1471661883
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Warning: Do not close the ports if these features are essential to your deployment.
Related Articles
Identity Router Network Interfaces and Default Ports Number of Views RSA Governance & Lifecycle Recipes: Dashboard - Deployment Overview - Part 2 Number of Views Citrix MetaFrame bypassing authentication on a per-session basis Number of Views How to close Open Violations for inactive Segregation of Duties (SoD) and User Access Rules in RSA Identity Governance & L… Number of Views IBM Security Access Manager 9.0 - Authentication Agent Configuration - RSA Ready SecurID Access Implementation Guide Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process RSA Release Notes for RSA Authentication Manager 8.8 RSA RADIUS Server service failed to start in the RSA Authentication Manager 8.1 Operations Console Microsoft Entra ID External MFA - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide RSA Release Notes: Cloud Access Service and RSA Authenticators
Don't see what you're looking for?
