RSA Product Set: RSA ID Plus
RSA Product/Service Type: Cloud Access Service (CAS), Identity Router (IDR)
The IDR operates in strict FIPS 140 mode, requiring all communications to use FIPS 140-compliant cipher suites. For DHE cipher suites—such as TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, and TLS_DHE_RSA_WITH_AES_256_GCM_SHA384—a minimum 2048-bit DH key size is mandatory. However, Active Directory (AD)/LDAP servers typically use a 1024-bit DH key size by default, which prevents the IDR from establishing a connection when these ciphers are in use.
When the Diffie-Hellman (DH) key size is increased to 2048 bits on the AD/LDAP server by following Microsoft Security Advisory 3174644, you may still encounter connection issues. If the issue persists after increasing the key size, check the IDR logs for the following error:
"DH Parameters without subprime Q are not FIPS 140 approved, specify using DSAParameterSpec or 42DHParameterSpec"
This error indicates that the 'q' parameter is missing in the DH parameters used by the DHE cipher suites. While the 'q' parameter is optional by standard, it is required for FIPS 140-2 compliance. The absence of this parameter leads to the preceding error.
The IDR supports a wide range of non-DHE cipher suites that are FIPS 140 compliant. On the AD/LDAP server, you can configure the preferred order of cipher suites. By prioritizing FIPS 140 compliant, non-DHE cipher suites above the DHE options in the list, the issue can be resolved.
To re-order the cipher suites:
- On the Active Directory Server, go to Start > Administrator Tools > Group Policy Management.
- In the left pane, navigate to Forest >Domains > Domain Name and expand it.
- Right-click Default Domain Policy.
- Click Edit in the context menu. It shows the Group Policy Management Editor.
- Go to Computer Configuration > Policies > Administrative Templates > Network > SSL Configuration Settings.
- Double-click SSL Cipher Suite Order.
- On the SSL Cipher Suite Order window, click Enabled if not already enabled.
- If enabled, add the below-mentioned list of cipher suites on top of the already existing cipher suites.
- If not enabled, click Enable.
All the cipher suites will be listed in the Options pane. - Reorder the cipher suites in such a way that the Non-DHE FIPS 140 compliant ciphers are on top and the DHE ciphers are at the bottom. (Following is the list of some non-DHE FIPS 140 compliant cipher suites which can be used.)
- Apply the changes.
- Restart the server.
- Test the Identity Source connection from the Admin Console.
List of Strong Ciphers
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
Note: These are some of the strong ciphers. There can be other strong ciphers also that can be used.
Related Articles
The RSA Identity Governance & Lifecycle AD Collector and AD ADC authentication source fail to establish a TLS 1.2 SSL conn… Number of Views Identity Source Properties Number of Views Active Directory Global Catalog Identity Sources Number of Views Certificate not verified error when changing Active Directory identity source from LDAP to LDAPS in RSA Authentication Man… Number of Views Cannot link the runtime identity source because no administrative identity sources reference this runtime source in RSA Au… Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
