How to close ports used by the RSA Authentication Agent to block SSLv3 communication to RSA Authentication Manager 8.x
Originally Published: 2016-08-20
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1 P13 or later
Issue
Port 5550/TCP: Used for communication with authentication agents that are attempting to register with Authentication Manager.
Port 5580/TCP: Used to receive requests for additional offline authentication data, and send the offline data to agents. Also used to update server lists on agents.
Some vulnerability scanners report that these ports are susceptible to SSLv3 vulnerabilities.
To pass compliance audits, customers have been required to close those ports.
Resolution
- Log on to the Authentication Manager primary using SSH client or direct connection.
- Change to the root user with sudo.
- Enter the following commands:
sudo su root /opt/rsa/am/utils/bin/appliance/configureFirewall.sh close rsaserv-aps inet,tcp,5580 inet,tcp,5550 /opt/rsa/am/utils/bin/appliance/configureFirewall.sh open rsaserv-aps inet,tcp,5580 inet,tcp,5550
- Repeat steps 1 - 3 for each RSA Authentication Manager server in your deployment.
C:\OpenSSL-Win64\bin>openssl.exe s_client -connect <IP Address>:5500 -ssl3 connect: No such file or directory connect:errno=0 C:\OpenSSL-Win64\bin>openssl.exe s_client -connect <IP Address>:5580 -ssl3 connect: No such file or directory connect:errno=0If they are open then they return the server certificate information.
C:\OpenSSL-Win64\bin>openssl.exe s_client -connect <IP Address>:5580 -ssl3
CONNECTED(000000E8)
6872:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:362:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1471661883
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Warning: Do not close the ports if these features are essential to your deployment.
Related Articles
What Ports are used by enVision Number of Views SAP connector fails with hostname not found when using a non-default port in RSA Identity Governance & Lifecycle Number of Views ERROR EndpointCoordinator.Communication.RabbitMQ.CommunicationManager - Failed to get connection to localhost Number of Views Troubleshooting Linux/Agent Communication Issues Number of Views How to disable IPv6 on Ethernet cards for auditing purposes for RSA Authentication Manager 8.x Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA-2026-07: RSA Authentication Manager Security Update for Third-Party Component Vulnerabilities Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
