This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA SecurID® Access Discussions

Browse the SecurID Access discussion board to get product help and collaborate with other users of SecurID Access.
ConorMcCracken
Contributor
Contributor
‎2017-01-12 10:40 AM

Enabling TLS 1.2 on 8.1

Jump to solution

Hi

 

I want to enable TLS 1.2 we are running 8.1 at the moment, we are planning on upgrading to 8.2 later in the year but we have the vulnerability so we need to enable TLS 1.2

 

My plan is to

Upgrade to 8.1 SP1 First on Primary and then all Replica's

Upgrade to 8.1.1 patch 15 on Primary and then all Replica's

Run the script on the Primary to enable TLS 1.2

 /opt/rsa/am/utils directory “configure_tls12_mode.sh -e  this should enable TLS 1.2

Do I have to run this same script on all replica's as well or will the settings replicate down from the Primary

 

I see the following comment on the details about enabling TLS 1.2 (https://community.rsa.com/thread/186919)
"unable to attached replicas while in TLS 1.2 mode"   Does this mean that with TLS enabled that we cannot join any new Replica's,  or do we need to upgrade to SP 1 Patch 15 and enable TLS on the New appliance before we can join it as a Replica

Labels (1)
0 Likes
Reply
1 Solution

Accepted Solutions
EdwardDavis
Employee
Employee
‎2017-01-12 11:16 AM

Jump to solution

You have to do it on each replica(s) as well.

 

The web tiers also may need to be 'updated' in the operations console page of the primary.

 

About new replicas....
If you do this prior to version 8.2, then yes any new 8.1 replicas will not be able

to talk to 8.1.x primary if that primary is in tls 1.2 mode. You'd need to undo it on

the primary, set up a new 8.1 base replica, patch replica to sp1, then sp1 patch 13 or higher, then

re-enable tls 1.2 mode.

 

In version 8.2 all new 8.2 replicas start life knowing how to talk tls 1.2, so good to go there. 

But 8.1 new replicas are not able to negotiate tls 1.2, therefore, no go to set up against 8.1.x TLS primaries.

View solution in original post

Reply
3 Replies
EdwardDavis
Employee
Employee
‎2017-01-12 11:16 AM

Jump to solution

You have to do it on each replica(s) as well.

 

The web tiers also may need to be 'updated' in the operations console page of the primary.

 

About new replicas....
If you do this prior to version 8.2, then yes any new 8.1 replicas will not be able

to talk to 8.1.x primary if that primary is in tls 1.2 mode. You'd need to undo it on

the primary, set up a new 8.1 base replica, patch replica to sp1, then sp1 patch 13 or higher, then

re-enable tls 1.2 mode.

 

In version 8.2 all new 8.2 replicas start life knowing how to talk tls 1.2, so good to go there. 

But 8.1 new replicas are not able to negotiate tls 1.2, therefore, no go to set up against 8.1.x TLS primaries.

View solution in original post

Reply
ConorMcCracken
Contributor
Contributor
In response to EdwardDavis
‎2017-01-12 11:24 AM

Jump to solution

Hi Edward

 

So the steps would be

On the Primary

/opt/rsa/am/utils directory “configure_tls12_mode.sh -r to remove the TLS 1.2 configuration

 

Build new Replica and join to the Primary

Upgrade to 8.1 Sp1

Upgrade to 8.1.1 patch 13 or higher

Enable TLS 1.2 on Primary and then New Replica with the command

/opt/rsa/am/utils directory “configure_tls12_mode.sh -e

 

If I disable TLS 1.2 on the Primary will the other Replica's continue to replicate

Do you just have to disable the TLS so the New Replica can do the first connection to the Primary Appliance

0 Likes
Reply
EdwardDavis
Employee
Employee
In response to ConorMcCracken
‎2017-01-12 12:06 PM

Jump to solution

If you remain on versions lower than 8.2...

 

You need to undo TLS on all RSA servers, or you will have replication problems.

When there are existing replication problems, adding any new replica to an environment

that has non-working or non-working replication could become problematic.

 

So, for best predictable outcome...

...on 8.1.x....

full tls undo,

check replication, verify all is normal,

add the new replica, patch that new replica up,

re-enable tls across the board.

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.