This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
ConorMcCracken
Contributor
Contributor
‎2017-01-12 10:40 AM

Enabling TLS 1.2 on 8.1

Jump to solution

Hi

 

I want to enable TLS 1.2 we are running 8.1 at the moment, we are planning on upgrading to 8.2 later in the year but we have the vulnerability so we need to enable TLS 1.2

 

My plan is to

Upgrade to 8.1 SP1 First on Primary and then all Replica's

Upgrade to 8.1.1 patch 15 on Primary and then all Replica's

Run the script on the Primary to enable TLS 1.2

 /opt/rsa/am/utils directory “configure_tls12_mode.sh -e  this should enable TLS 1.2

Do I have to run this same script on all replica's as well or will the settings replicate down from the Primary

 

I see the following comment on the details about enabling TLS 1.2 (https://community.rsa.com/thread/186919)
"unable to attached replicas while in TLS 1.2 mode"   Does this mean that with TLS enabled that we cannot join any new Replica's,  or do we need to upgrade to SP 1 Patch 15 and enable TLS on the New appliance before we can join it as a Replica

Labels (1)
0 Likes
Reply
1 Solution

Accepted Solutions
EdwardDavis
Employee
Employee
‎2017-01-12 11:16 AM

Jump to solution

You have to do it on each replica(s) as well.

 

The web tiers also may need to be 'updated' in the operations console page of the primary.

 

About new replicas....
If you do this prior to version 8.2, then yes any new 8.1 replicas will not be able

to talk to 8.1.x primary if that primary is in tls 1.2 mode. You'd need to undo it on

the primary, set up a new 8.1 base replica, patch replica to sp1, then sp1 patch 13 or higher, then

re-enable tls 1.2 mode.

 

In version 8.2 all new 8.2 replicas start life knowing how to talk tls 1.2, so good to go there. 

But 8.1 new replicas are not able to negotiate tls 1.2, therefore, no go to set up against 8.1.x TLS primaries.

View solution in original post

Reply
4 Replies
EdwardDavis
Employee
Employee
‎2017-01-12 11:16 AM

Jump to solution

You have to do it on each replica(s) as well.

 

The web tiers also may need to be 'updated' in the operations console page of the primary.

 

About new replicas....
If you do this prior to version 8.2, then yes any new 8.1 replicas will not be able

to talk to 8.1.x primary if that primary is in tls 1.2 mode. You'd need to undo it on

the primary, set up a new 8.1 base replica, patch replica to sp1, then sp1 patch 13 or higher, then

re-enable tls 1.2 mode.

 

In version 8.2 all new 8.2 replicas start life knowing how to talk tls 1.2, so good to go there. 

But 8.1 new replicas are not able to negotiate tls 1.2, therefore, no go to set up against 8.1.x TLS primaries.

Reply
ConorMcCracken
Contributor
Contributor
In response to EdwardDavis
‎2017-01-12 11:24 AM

Jump to solution

Hi Edward

 

So the steps would be

On the Primary

/opt/rsa/am/utils directory “configure_tls12_mode.sh -r to remove the TLS 1.2 configuration

 

Build new Replica and join to the Primary

Upgrade to 8.1 Sp1

Upgrade to 8.1.1 patch 13 or higher

Enable TLS 1.2 on Primary and then New Replica with the command

/opt/rsa/am/utils directory “configure_tls12_mode.sh -e

 

If I disable TLS 1.2 on the Primary will the other Replica's continue to replicate

Do you just have to disable the TLS so the New Replica can do the first connection to the Primary Appliance

0 Likes
Reply
EdwardDavis
Employee
Employee
In response to ConorMcCracken
‎2017-01-12 12:06 PM

Jump to solution

If you remain on versions lower than 8.2...

 

You need to undo TLS on all RSA servers, or you will have replication problems.

When there are existing replication problems, adding any new replica to an environment

that has non-working or non-working replication could become problematic.

 

So, for best predictable outcome...

...on 8.1.x....

full tls undo,

check replication, verify all is normal,

add the new replica, patch that new replica up,

re-enable tls across the board.

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to ConorMcCracken
‎2022-02-28 06:57 PM

Jump to solution

Correct.

This method is valid only for AM 8.1 SP1 Patch 13, patch 14 and patch 15.  There was one script for these AM Servers and two scripts for Web Tiers, a .sh for Linux Web Tiers and a .cmd for Windows.  It changed with AM 8.2 where there was an rsautil command on the Primary and replicas, and once that occurred, you could [Update] any Web Tiers not with a script but through Ops Console Web Tier [Update] button.

If Replication [Sync] is failing after enabling Strict TLS 1.2 on your AM 8.1 SP1 P15 servers, you might have come across a bug where one of the files in /opt/rsa/am/server/wrapper directory

AdminServerWrapper.conf
BiztierServerWrapper.conf
ConsoleServerWrapper.conf
RadiusOCServerWrapper.conf
ReplicaReplicationWrapper.conf

has lost the entry to restricts all connections EXCEPT RADIUS to TLSv.1.2, after a Reboot

       wrapper.java.additional.AA=-Dcom.rsa.requiredProtocols=SSLv3,TLSv1.2

RADIUS in AM 8.1 SP1 needs SSLV3.  A network packet capture of this Replication [SYNC] failure will show the replica connect back to the primary with SSLv3, which is rejected.

Replica_SSLv3.png

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.