RSA^® Governance & Lifecycle

Article Number 000068197 Applies To SecurID Governance & Lifecycle 7.5.2 P03 on IBM WebSphere Issue When SecurID Governance & Lifecycle 7.5.2 P03, deployed on IBM WebSphere 8.5.5.21, is configured to use IMAPS protocol (default port 993) for Approval Email Server, the following exception shows in the logs: javax.mail.MessagingException: Could not connect to message store for imaps://username@imaps-server.hostname:993; nested exception is: javax.mail.MessagingException: Remote host terminated the handshake; nested exception is: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at com.aveksa.server.email.common.EmailUtils.connectToMailStore(EmailUtils.java:651) at com.aveksa.server.email.mailboxmonitor.MailboxMonitorThread.checkForMail(MailboxMonitorThread.java:178) at com.aveksa.server.email.mailboxmonitor.MailboxMonitorThread.run(MailboxMonitorThread.java:46) Caused by: javax.mail.MessagingException: Remote host terminated the handshake; nested exception is: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:670) at javax.mail.Service.connect(Service.java:295) at javax.mail.Service.connect(Service.java:176) at javax.mail.Service.connect(Service.java:125) at com.aveksa.server.email.common.EmailUtils.connectToMailStore(EmailUtils.java:625) ... 2 more Caused by: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at com.ibm.jsse2.bj.a(bj.java:18) at com.ibm.jsse2.bj.b(bj.java:1) at com.ibm.jsse2.bj.f(bj.java:427) at com.ibm.jsse2.bj.a(bj.java:406) at com.ibm.jsse2.bj.startHandshake(bj.java:160) at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:549) at com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:354) at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:237) at com.sun.mail.iap.Protocol.<init>(Protocol.java:116) at com.sun.mail.imap.protocol.IMAPProtocol.<init>(IMAPProtocol.java:115) at com.sun.mail.imap.IMAPStore.newIMAPProtocol(IMAPStore.java:685) at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:636) ... 6 more An inspection of the TCP network traffic capture data shows a connection being attempted using TLSv1.0.   Cause The mail server and/or a network firewall is configured to only allow TLS v1.2 connections, and any connection attempts using TLS v1.0 are refused/terminated. Resolution On IBM WebSphere, hosting the SecurID Governance & Lifecycle application, configure the following JVM argument: mail.imaps.ssl.protocols=TLSv1.2 Note: The JVM argument can be added on the WebSphere console > click Servers > Server types > WebSphere application servers > Select server > select the server used for SecurID Governance & Lifecycle > Configuration tab > select Server Infrastructure > Java and Process Management > Process Definition > Additional Properties > Java Virtual Machine > Generic JVM Arguments. ... View more

Article Number 000068153 Applies To RSA Product Set: RSA Governance & Lifecycle RSA Version/Condition:  RSA Governance & Lifecycle 7.x.x Issue If the access that is being reviewed is removed outside of the review, collected, and verified and the access is also revoked from the review, a change request is created for access that is no longer there. Cause This is an improvement that is added by the engineering team in ACM-115513. Resolution The behavior is improved, so while creating the Change Request from the review RSA Governance & Lifecycle checks whether the item/review component access has already been revoked outside of the review or not, if yes, no change request is created. This improvement is added for all types of reviews starting from the following version.  SecurID Governance & Lifecycle 7.5.2 P07 ... View more

Article Number 000068115 Applies To RSA Product Set: RSA Governance & Lifecycle RSA Version/Condition:  RSA Governance & Lifecycle 7.x.x Issue The role count being reviewed shows the incorrect entitlement count in the role review. Image description Image description Cause This issue is caused by the occurrence of roles duplicate records in the T_AV_EXPLODEDUSERENTITLEMENTS table. Importing Roles that are created on legacy versions and with the existence of Roles having the same name as the Collected Roles results in duplicates creation in the T_AV_EXPLODEDUSERENTITLEMENTS entries Resolution Contact RSA Customer Support and quote this KB article for a cleanup script for this issue.  Notes Run the attached script Dup_Review_Comp_And_Xue.sql This script contains four select queries that detect if there are any duplicates for the roles. ... View more

Article Number 000067908 Applies To This is a known issue in the following versions when using an AFX Connector to an Oracle database that uses encryption: RSA Identity Governance & Lifecycle - 7.2.1 P06 RSA Identity Governance & Lifecycle - 7.5.0 P03 SecurID Governance & Lifecycle - 7.5.2 GA Issue The following message is displayed when testing an Oracle Database AFX Connector: Failed connector settings test Connection error: java.security.InvalidAlgorithmParameterException: DH Parameters without subprime Q are not FIPS 140 approved, specify using DSAParameterSpec or X942DHParameterSpec (java.lang.RuntimeException) Image description   Cause The error is generated when the target Oracle Database using Oracle Database Native Network Encryption (NNE) requests (ENCRYPTION=required) but does not enforce FIP 140 encryption level. Current versions of AFX support and enforce FIPS 140 encryption if encryption is requested.  Lower levels of encryption are considered insecure and are not allowed. Resolution This issue is resolved in the following version which deprecates 1024 bit DHE encryption types that cause FIPS 140 compatibility issues.  RSA Governance & Lifecycle 8.0 (Note that RSA Governance & Lifecycle version 8.0 has not been released at the time of authoring this knowledgebase article.) Workaround 1.  This may be resolved by using FIPS 140 mode for the Oracle encryption.  For most customers this is not practicable. 2.  Another option is to disable Encryption between AFX and the Oracle Database server. If you encountered the error described in this article, Oracle NNE encryption is enabled on the Oracle server but the Oracle listener may be configured to support encryption at three levels (accepted | requested | required). If the Oracle listener is configured with SQLNET.ENCRYPTION_SERVER = REQUIRED, there is no solution. If the Oracle listener is configured with ALLOWED or ACCEPTED, and the Oracle database is 21c (Note1) or later, it is possible to configure the AFX server to negotiate an unencrypted session. a.  Modify the AFX startup configuration by editing /home/oracle/AFX/esb/conf/wrapper.conf b.  Add the following line (the ordinal number 10 represents the latest line in the file, increment this number if required when there already is an item number 10 in the configuration file): wrapper.java.additional.10=-Doracle.net.encryption_client=rejected c.  Restart AFX for this to take effect. This setting will be overwritten if AFX is redeployed. Ensure you remove this line to reenable encryption once you upgrade to a version where encryption is supported. Note1.  Oracle intends to back port the feature that allows for client negotiation of the encryption to Oracle 19c but it is unclear what patch level this will be done in.  At the time of writing this improvement had not been back ported to Oracle 19.14.0.0.0.  This feature may work on later patches of Oracle 19c.  Contact Oracle Customer Support for more specific information. ... View more

Article Number 000068114 Applies To RSA Product Set: RSA Governance & Lifecycle RSA Version/Condition:  RSA Governance & Lifecycle 7.5.x Issue Unification is failing at step 8, post-processing: populate role metrics Image description Image description With the following error shown in the DB summary log "ORA-06512: at ""AVUSER.ROLE_MANAGEMENT_PKG"", line 2469 ORA-06512: at ""AVUSER.ROLE_MANAGEMENT_PKG"", line 2469 ORA-06512: at ""AVUSER.ROLE_MANAGEMENT_PKG"", line 9593 ORA-06512: at ""AVUSER.UNFC_PROCESSOR"", line 260 ORA-06512: at ""AVUSER.UNFC_PROCESSOR"", line 41" And the following error is shown in AveksaServer.log 02/13/2023 18:13:17.511 ERROR (Exec Task Consumer#0 - Sequence) [com.aveksa.server.xfw.TaskExecutor] Failed method=Execute ExecutionTask[TaskID=750216 RunID=345561 Source=521 Type=EntitlementExplosionProcessing Status=InProgress] com.aveksa.server.xfw.ExecutionException: com.aveksa.server.db.PersistenceException: java.sql.SQLSyntaxErrorException: ORA-00936: missing expression ORA-06512: at "AVUSER.ROLE_MANAGEMENT_PKG", line 2469 ORA-06512: at "AVUSER.ROLE_MANAGEMENT_PKG", line 2469 ORA-06512: at "AVUSER.ROLE_MANAGEMENT_PKG", line 3833 ORA-06512: at "AVUSER.COMMON_EXPLODER", line 181 ORA-06512: at line 1   Cause This issue occurs if a Role Membership Rule is not configured correctly or has an invalid filter. Resolution Contact RSA Customer Support for information on how to remediate this issue.  ... View more