RSA-2026-01: RSA Governance and Lifecycle Product Security Update for LDAP Connector - FIPS Mode Enforcement
RSA Identifier: RSA-2026-01
Severity: Informational / Configuration Change
Type: Security Enhancement
Affected products
- RSA Governance & Lifecycle 8.0.0 P10 and later
Summary:
The LDAP Connector in MuleSoft component of AFX Server has been upgraded from v3.5.6 to v3.6.0. As part of a MuleSoft security enhancement, non-secure LDAP connections are no longer permitted when FIPS mode is enabled.
Details:
Since AFX Server runs in FIPS mode only, the upgraded MuleSoft component now enforces stricter security controls. As a result:
- Plain LDAP connections (LDAP over port 389) are blocked
- Only secure LDAP connections are supported:
- LDAPS (port 636)
This change is intentional and documented in MuleSoft release notes.
Impact
- LDAP connectors using non-SSL port 389 will fail in FIPS-enabled environments (default behavior). This includes:
- Active Directory
- IBM Tivoli’s Directory Server
- Novell eDirectory
- OpenLDAP
- Oracle Directory Server
- Oracle Internet Directory
- No impact to configurations already using LDAPS
Required Action
Customers and administrators are required to complete the following steps either before or after applying patch P10. However, RSA strongly recommends completing these steps as early as possible, preferably before applying the patch since enabling SSL for LDAP servers (if not already configured), making necessary network changes, and performing validation/testing may require significant time.
- Configure LDAP endpoints (such as Active Directory, OpenLDAP, etc) to accept LDAPS connections.
- Review all LDAP based connector configurations in RSA Governance & Lifecycle
- Replace non-secure LDAP connections with LDAPS (port 636)
- Ensure valid TLS certificates are configured and trusted by the AFX Servers / LDAP connectors.
Migration
Post-migration, the “Use Secure Connection” field will be unlocked, and an error message will be displayed on the connector page with instructions to edit the connector and provide the required SSL configuration (including port updates and certificate trust).
Upon editing the updated configuration, the “Use Secure Connection” option will be automatically selected and disabled (greyed out).
Resolution
This is a behavioral change by design and not a defect.
There is no workaround to enable non-SSL LDAP connections when FIPS mode is enabled.
Severity Rating
For an explanation of Severity Ratings, refer to the Security Advisories Severity Rating knowledge base article. RSA recommends all customers consider both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with a security vulnerability.
Legal Information
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact RSA Technical Support. RSA Security LLC and its affiliates, including without limitation, distribute RSA Security Advisories in order to bring to the attention of users of the affected RSA products important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title, and non-infringement. In no event shall RSA, its affiliates, or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if RSA, its affiliates, or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
Related Articles
RSA-2025-10: RSA Governance and Lifecycle Product Security Update for ActiveMQ Vulnerability Number of Views AFX Connectors remain in a Deployed state and 'java.lang.SecurityException: Algorithm not allowable in FIPS140 mode: MD5' … Number of Views Access Fulfillment Express (AFX) AD LDAP connector fails to remove AD account with error "Not Allowed On Non-leaf" in RSA … Number of Views RSA-2024-15: RSA Governance and Lifecycle Security Update for Oracle Database Vulnerabilities Number of Views SSA-2022-01: SecurID Governance and Lifecycle Product Security Update for Multiple Vulnerabilities Number of Views
Trending Articles
Artifacts to gather in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.4.3 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.8 Setup and Configuration Guide RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
