- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Enabling TLS 1.2 on 8.1
Hi
I want to enable TLS 1.2 we are running 8.1 at the moment, we are planning on upgrading to 8.2 later in the year but we have the vulnerability so we need to enable TLS 1.2
My plan is to
Upgrade to 8.1 SP1 First on Primary and then all Replica's
Upgrade to 8.1.1 patch 15 on Primary and then all Replica's
Run the script on the Primary to enable TLS 1.2
/opt/rsa/am/utils directory “configure_tls12_mode.sh -e this should enable TLS 1.2
Do I have to run this same script on all replica's as well or will the settings replicate down from the Primary
I see the following comment on the details about enabling TLS 1.2 (https://community.rsa.com/thread/186919)
"unable to attached replicas while in TLS 1.2 mode" Does this mean that with TLS enabled that we cannot join any new Replica's, or do we need to upgrade to SP 1 Patch 15 and enable TLS on the New appliance before we can join it as a Replica
- Tags:
- 8.1
- 8.2
- AM
- Auth Manager
- Authentication Manager
- Community Thread
- Discussion
- enable tls 1.2
- Forum Thread
- RSA Authentication Manager
- RSA SecurID
- RSA SecurID Access
- SecurID
- tls 1.2
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
You have to do it on each replica(s) as well.
The web tiers also may need to be 'updated' in the operations console page of the primary.
About new replicas....
If you do this prior to version 8.2, then yes any new 8.1 replicas will not be able
to talk to 8.1.x primary if that primary is in tls 1.2 mode. You'd need to undo it on
the primary, set up a new 8.1 base replica, patch replica to sp1, then sp1 patch 13 or higher, then
re-enable tls 1.2 mode.
In version 8.2 all new 8.2 replicas start life knowing how to talk tls 1.2, so good to go there.
But 8.1 new replicas are not able to negotiate tls 1.2, therefore, no go to set up against 8.1.x TLS primaries.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
You have to do it on each replica(s) as well.
The web tiers also may need to be 'updated' in the operations console page of the primary.
About new replicas....
If you do this prior to version 8.2, then yes any new 8.1 replicas will not be able
to talk to 8.1.x primary if that primary is in tls 1.2 mode. You'd need to undo it on
the primary, set up a new 8.1 base replica, patch replica to sp1, then sp1 patch 13 or higher, then
re-enable tls 1.2 mode.
In version 8.2 all new 8.2 replicas start life knowing how to talk tls 1.2, so good to go there.
But 8.1 new replicas are not able to negotiate tls 1.2, therefore, no go to set up against 8.1.x TLS primaries.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi Edward
So the steps would be
On the Primary
/opt/rsa/am/utils directory “configure_tls12_mode.sh -r to remove the TLS 1.2 configuration
Build new Replica and join to the Primary
Upgrade to 8.1 Sp1
Upgrade to 8.1.1 patch 13 or higher
Enable TLS 1.2 on Primary and then New Replica with the command
/opt/rsa/am/utils directory “configure_tls12_mode.sh -e
If I disable TLS 1.2 on the Primary will the other Replica's continue to replicate
Do you just have to disable the TLS so the New Replica can do the first connection to the Primary Appliance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
If you remain on versions lower than 8.2...
You need to undo TLS on all RSA servers, or you will have replication problems.
When there are existing replication problems, adding any new replica to an environment
that has non-working or non-working replication could become problematic.
So, for best predictable outcome...
...on 8.1.x....
full tls undo,
check replication, verify all is normal,
add the new replica, patch that new replica up,
re-enable tls across the board.
