1. A network packet capture shows the Authentication Manager server sending an SSL/TLS client hello request to the domain controller requesting a connection on TLSv1.2 using any of 31 ciphers listed. The DC responds that it will use the TLS_DHE_RSA_WITH_AES_256_GCM_SHA_384 Cipher Suite, which was one of the ciphers in the Authentication Manager.
   

2. The verbose /opt/rsa/am/server/logs/imsTrace.log shows the Diffie-Hellman DH Key negotiation fails

Authentication Manager 8.4 is FIPS compliance for cryptographic operations (see the RSA Announces the Release of RSA Authentication Manager 8.4), which means that 1024-bit certificates are no longer supported.  However, in these customer cases the domain controller and the Authentication Manager 8.4 server both have 2048-bit certificates.

However, within the negotiation of an SSL/TLS connection, the cipher suites that use Diffie-Hellman for key exchange must use a 2048-bit prime when generating a key pair.

In this case, the responding SSL server (which was an F5 load balancer in front of the domain controller) responded that the TLS_DHE_RSA_WITH_AES_256_GCM_SHA_384 cipher suite would be using a 1024 prime to generate a DHE key pair.



Because the F5 is using a DHE key size that is not FIPS 140-2 compliant, the Authentication Manager server errors out and the LDAPS connection fails.

This hotfix is planned for release in Authentication Manager 8.4 patch 2, or customer support has a hotfix that could be applied to Authentication Manager 8.4 base.

Global variable fix to avoid cipher suites that allow negotiation of non-FIPS 140-2 compliant cipher components

1. Open an SSH session on each Authentication Manager server, starting with the primary first. 
2. Login as the rsaadmin user, noting that during Quick Setup another user name may have been selected. If that is the case, that user name to login.
3. Navigate to /opt/rsa/am/utils.
4. Run the command ./rsautil store -a add_config ims.tls.cipher_list.use_via_trust true GLOBAL BOOLEAN.  This global variable prevents Authentication Manager 8.4 from including the TLS_DHE_RSA_WITH_AES_256_GCM_SHA_384 cipher suite in the SSL client hello to the domain controller (F5) when trying to connect using LDAPS.  Internal testing at RSA has been done by Support and QE.

• Use add_config the first time you run this command because you are creating or adding a new global variable for the code to use.  
• Use update_config any subsequent to undo this change.  For example,