We have been advised to enable strict TLS 1.2 on our RSA Authentication Manager virtual appliances.

a year ago

By default, RSA Authentication Manager 8.2 or later deployments use TLS 1.2, however TLS 1.0 and TLS 1.1 are also supported. Authentication Manager supports a strict TLS mode that only uses TLS 1.2 for communication within your Authentication Manager deployment.

You can enable and disable the strict TLS 1.2 mode. To do so, perform the following procedure on the primary instance and each replica instance. Updating the primary instance automatically updates the web tier, but restarting the web tier is required for the changes to take effect.

Before you begin

Obtain the rsaadmin operating system password for the primary instance and each replica instance.
Secure shell (SSH) must be enabled on every appliance in your deployment. For instructions, see Enable Secure Shell on the Appliance.

Procedure

Log on to the appliance with the User ID rsaadmin and the current operating system password:

On a hardware appliance, an Amazon Web Services appliance, or an Azure appliance, log on to the appliance using an SSH client.
On a VMware virtual appliance, log on to the appliance using an SSH client or the VMware vSphere client.
On a Hyper-V virtual appliance, log on to the appliance using an SSH client , the Hyper-V Virtual Machine Manager Console, or the Hyper-V Manager.

Change directories to /opt/rsa/am/utils.
Run the command. To restart all of your RSA Authentication Manager services later, you must remove restart from the following commands:
To enable strict TLS 1.2 mode, type:
./rsautil store -a enable_min_protocol_tlsv1_2 true restart
To disable strict TLS 1.2 mode so that your deployment can support TLS 1.0 and TLS 1.1, type:
./rsautil store -a enable_min_protocol_tlsv1_2 false restart
(Optional) If you decided to manually restart all of your RSA Authentication Manager services, do the following:
1. Change directories to /opt/rsa/am/server.
Type:
1. ./rsaserv restart all
Repeat the steps for each Authentication Manager instance in your deployment.

After you finish

Restart the web tier (if applicable).

Note: For Authentication Manager 8.6 and all subsequent patches or upgrades, you should enable Strict TLS mode again after the upgrade by following the procedure outlined above.

I would recommend doing the procedure on your primary first and then any replicas.

Expand Post

Stacey Schofield (he/him) (RSA)
a year ago
By default, RSA Authentication Manager 8.2 or later deployments use TLS 1.2, however TLS 1.0 and TLS 1.1 are also supported. Authentication Manager supports a strict TLS mode that only uses TLS 1.2 for communication within your Authentication Manager deployment.
You can enable and disable the strict TLS 1.2 mode. To do so, perform the following procedure on the primary instance and each replica instance. Updating the primary instance automatically updates the web tier, but restarting the web tier is required for the changes to take effect.

Before you begin
Obtain the rsaadmin operating system password for the primary instance and each replica instance.
Secure shell (SSH) must be enabled on every appliance in your deployment. For instructions, see Enable Secure Shell on the Appliance.

Procedure
Log on to the appliance with the User ID rsaadmin and the current operating system password:
On a hardware appliance, an Amazon Web Services appliance, or an Azure appliance, log on to the appliance using an SSH client.
On a VMware virtual appliance, log on to the appliance using an SSH client or the VMware vSphere client.
On a Hyper-V virtual appliance, log on to the appliance using an SSH client , the Hyper-V Virtual Machine Manager Console, or the Hyper-V Manager.
Change directories to /opt/rsa/am/utils.
Run the command. To restart all of your RSA Authentication Manager services later, you must remove restart from the following commands:
To enable strict TLS 1.2 mode, type:
./rsautil store -a enable_min_protocol_tlsv1_2 true restart
To disable strict TLS 1.2 mode so that your deployment can support TLS 1.0 and TLS 1.1, type:
./rsautil store -a enable_min_protocol_tlsv1_2 false restart
(Optional) If you decided to manually restart all of your RSA Authentication Manager services, do the following:
Change directories to /opt/rsa/am/server.
Type:
./rsaserv restart all
Repeat the steps for each Authentication Manager instance in your deployment.

After you finish
Restart the web tier (if applicable).

Note: For Authentication Manager 8.6 and all subsequent patches or upgrades, you should enable Strict TLS mode again after the upgrade by following the procedure outlined above.

I would recommend doing the procedure on your primary first and then any replicas.
Expand Post
BinodChetia96281 (Customer)
a year ago
Hi Stacey,
What is the procedure to disable TLS1.1 . Is there a document on this
Expand Post
EricaChalfin (RSA)
Edited April 3, 2025 at 12:58 PM
@BinodChetia96281 (Customer) ,

Use this article for the steps to enable or disable strict TLS 1.2 mode.

Expand Post

Related Questions

Trending Articles