Update to Authentication Manager 8.8 Patch 3 disables Agent Auto-registration service on TCP port 5550.
3 months ago
Article Number
000073746
Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: AM 8.8 patch 3 and later

Issue

The legacy, UDP port 5500 based Authentication Agent for Windows, AAWin ver. 7.4.x, used an auto-registration service running on TCP port 5550 to create and map agent host entries for DHCP-based Windows agents. The MFA agent for Windows does not use this, instead using Virtual host entries.

AAWin 7.4.x reached End of Primary Support, EOPS, in June 2024. No bug fixes are possible, customers assume the risk of using AAwin 7.4 agents and customers should be migrating to the MFA agent. 
Product Version Life Cycle for RSA ID Plus and RSA SecurID

It appears that RSA Engineering and Product Management are enforcing EOPS on the legacy AAWin agents. RSA Support has found that with AM server version 8.8 patch 3, the auto-registration service has been disabled in the database, so that even if it shows as enabled in the Security Console, it does not work. This KB explains how to enable this service and assume the risk of running the EOPS version of AAWin.

The out-of-support AAWin agent is not capable of using TLSv.1.3 and uses older ciphers that are less secure. The AM 8.8 update changes Cipher management from WebLogic to Java and disables these less secure Ciphers in the java.security file. If you still have AAwin agents, you will also need to allow these less-secure Ciphers. See

Authentication Manager 8.8 update breaks TLS connections; TLS Handshake error no cipher suites in common

 

Cause

AM 8.8 updates disables less secure TLS ciphers used by AAwin agents and 8.8 P3 disables the AAwin auto-registration service in the AM on-Prem database, causing agents to fail with AGENT_AUTO_REG_START,23029,FAIL,NON_SSL_SOCKET

Resolution

Update to MFA agent for Windows - that is the only supported agent for Windows since June of 2024

Workaround

Tasks

1. Verify that Auto-registration is enabled in the Security Console - Setup - System. Agents.
2. Enable Auto-registration with the ./rsautil command in AM server Linux
   cd /opt/rsa/am/utils
   ./rsautil store -a config_all auth_manager.agent_protocol.auto_reg_ssl_enabled true
3. Enable 'weaker' TLS Cipher if needed to run this unsupported agent. See KB  Authentication Manager 8.8 update breaks TLS connections; TLS Handshake error no cipher suites in common

Task 2 Details for this KB

1. SSH to Linux on the AM servers with PuTTy or other SSH client, using the rsaadmin credentials

SSH_rsaadmin

2. Run the rsautil command to enable AAWin agent auto-registration

cd /opt/rsa/am/utils

./rsautil store -a config_all auth_manager.agent_protocol.auto_reg_ssl_enabled true

  See message NOTICE:   Changed the value of configuration parameter 'auth_manager.agent_protocol.auto_reg_ssl_enabled' from 'false' to 'true' for all instances.

config_all

------------

(1 row)

3. Restart AM services

rsaserv_restart_all

Related Articles

Trending Articles

Don't see what you're looking for?