RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: AM 8.8 and later, Identity Router v. 12.24.0.0.10
When the Cloud Access Service Identity Router was updated to v. 12.24.0.0.10 some FedRamp customers noticed that their external LDAPS Identity Sources failed to connect with
Failed to create initial dir context for LDAP connection. LDAP server is 'ldaps://[IP address redacted]:636' principal is '[hostname redacted]'.
Caused by: javax.naming.NamingException [Root exception is java.lang.RuntimeException: invalid key or spec in AEAD mode]
The AM v. 8.8 on-Prem Appliance and the IDR v.12.24.0.0.10 include three CHACHA20_Poly1305 AEAD algorithms. These algorithms can be disabled in the java.security file to prevent their use by AM or IDR.
Note: this Knowledge Base, KB article is a work-around and has not been part of QE testing by RSA. It is offered 'as is'.
Also Note: AM and IDRs have different location, directory for their java.security files
IDR: /opt/openjdk-11/conf/security/java.security
AM: /opt/rsa/am/appserver/jdk/jre/lib/security/java.security
This 'work-around' resolution can be used until Engineering provided a fix for the specific customers for example in FedRamp Environments where the CHACHA20-Poly1305 algorithm cannot be used because it is not FIPS-compliant.
Tasks
- Make a backup copy of your java.security file. AM uses /opt/rsa/am/appserver/jdk/jre/lib/security/ and IDR uses /opt/openjdk-11/conf/security
- edit java.security and add CHACHA20_POLY1305 to the list of algorithms after jdk.tls.disabledAlgorithms=
- restart AM services or IDR services
Disabling CHACHA20_POLY1305 prevents the following Ciphers from being used by AM or IDR
- TLS_CHACHA20_POLY1305_SHA256 (0x1303)
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
- TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa)
SSH to Linux on the RSA AM appliance or IDR, or gain console access, authenticating with the rsaadmin account
Make a backup of: java.security on the AM Appliance or on the IDR. Different locations!
AM: cd /opt/rsa/am/appserver/jdk/jre/lib/security/ OR IDR: cd /opt/openjdk-11/conf/security/
cp java.security java.security.orig
<screenshot - java_security_1_ssh.png>
Edit java.security
vi java.security
<screenshot - java_security_2_top_of_file.png>
Look for the line starting:
jdk.tls.disabledAlgorithms=
and INSERT CHACHA20_POLY1305,
<screenshot - java_security_3_jdk.tls.disabledAlgorithms-CHACHA20.png>
Restart AM or IDR services.
Restart AM services.
cd /opt/rsa/am/server
./rsaserv restart all
<screen shot – rsaserv_restart_all.png>
Restart IDR services.
Restart IDR services from the Cloud Administration Console or see the following KB for command line control.
Advanced troubleshooting for RSA SecurID Access Identity Router
https://community.rsa.com/s/article/Advanced-troubleshooting-for-RSA-SecurID-Access-Identity-Router
See Jira for related info on when Engineering will provide the supported version of this fix
NGX-225851 - [4-13/4-15/Not-RC-Blocking/Product]IDR update to 12.24.0.0.10 breaks LDAPS with "Failed to create initial dir context for LDAP connection...invalid key or spec in AEAD mode"
See also the following two KBs for variations on same solution to different problems related to java ciphers.
Authentication Manager 8.8 update breaks TLS connections; TLS Handshake error no cipher suites in common
https://community.rsa.com/s/article/Authentication-Manager-8-8-update-breaks-TLS-connections-TLS-Handshake-error-no-cipher-suites-in-common
LDAP Server connection test failed error for Authentication Manager 8.8 and higher when LDAPS is used with certain LDAP Directory Servers
https://community.rsa.com/s/article/LDAP-Server-connection-test-failed-error-for-Authentication-Manager-8-8-and-higher-when-LDAPS-is-used-with-certain-LDAP-Directory-Servers
