This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
RajSinha
Beginner
Beginner
‎2019-03-27 10:11 AM

Unsupported ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

I am running sample rsa agent code in our liferay portal server(Linux). While running app, it seems agent connecting to AM (manager) but at end getting following error:   

 

08:38:52,354 ERROR com.rsa.authagent.authapi.v8.logger.b:? - Error in initial AuthnReq/Rsp for serverTime.Error in processing Authn request: Unsupported ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Can't create api: com.rsa.authagent.authapi.AuthAgentException: Error in initial AuthnReq/Rsp for serverTime.Error in processing Authn request: Unsupported ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

 

I have following entry into rsa_api.properties:

 

RSA_AGENT_TYPE=RSA_WEB_AGENT

# Provide the Agent Version - default value is 'UnKnown'

RSA_AGENT_VERSION = 7.1

SDCONF_LOC=/var/lib/nysid/bundles/tomcat-7.0.42/webapps/rsaLogin/WEB-INF/sdconf.rec

SDNDSCRT_LOC=/var/lib/nysid/bundles/tomcat-7.0.42/webapps/rsaLogin/WEB-INF/classes/securid

RSA_LOG_TO_CONSOLE=NO

RSA_LOG_TO_FILE=YES

RSA_LOG_FILE=/var/lib/nysid/bundles/tomcat-7.0.42/webapps/rsaLogin/WEB-INF/classes/my_api_events.log

RSA_LOG_LEVEL=INFO

RSA_LOG_FILE_SIZE=1MB

RSA_LOG_FILE_COUNT=10

RSA_CONNECTION_TIMEOUT=60

RSA_READ_TIMEOUT=60

RSA_CONFIG_DATA_LOC=/var/lib/nysid/bundles/tomcat-7.0.42/webapps/rsaLogin/WEB-INF/Agents/Artifacts/

RSA_ENC_ALGLIST=AES/16,AES/24,AES/32

 

Following is my RSAAuthUserBean class where I am trying to create  rsa agent api. Above exception occurred while creating api (api = AuthSessionFactory.getInstance(path))

 

public RSAAuthUserBean() throws Exception

private AuthSessionFactory api = null;

{

io = new ConsoleIO();

 

try

{

String path = "/var/lib/nysid/bundles/tomcat-7.0.42/webapps/rsaLogin/WEB-INF/rsa_api.properties";

io.outputLn("Creating api");

api = AuthSessionFactory.getInstance(path)

}

catch (AuthAgentException e)

{

io.outputLn("Can't create api: " + e.getMessage());

throw e;

}

}

 

Any help would be highly appreciated.  

 

Thanks,

Rajesh

 

Labels (1)
Labels
0 Likes
Reply
8 Replies
TedBarbour
Employee
Employee
‎2019-03-27 10:32 AM

Hi Raj - it would be helpful to know the API and Auth Manager versions being used.

 

Thanks,

Ted

0 Likes
Reply
RajSinha
Beginner
Beginner
In response to TedBarbour
‎2019-03-27 10:59 AM

Hi Ted,

 

Thanks for your reply.

 

RSA_AGENT_VERSION = 7.1

 

Auth Manager version: Server release = 8.3.0 P 04.0

 

RSA Authentication SDK version : 8.6.0.0.0[75]

 

Please mention if above aren’t asked info?

 

Thanks,

Raj

0 Likes
Reply
TedBarbour
Employee
Employee
In response to RajSinha
‎2019-03-27 11:21 AM

I see a couple of prior support cases where this error was corrected by using JDK 1.8.  If that is not the issue then I would recommend opening a support case to troubleshoot further.

 

Thanks,

Ted

0 Likes
Reply
RajSinha
Beginner
Beginner
In response to TedBarbour
‎2019-03-27 11:37 AM

I believe you are suggesting to change JDK 1.8 in Agent server. Right? I am using jdk1.8.0_201 where agent is running.

 

Thanks,

Raj

0 Likes
Reply
TedBarbour
Employee
Employee
In response to RajSinha
‎2019-03-27 11:44 AM

Yes, sorry I was referring to the agent side of things.

0 Likes
Reply
RajSinha
Beginner
Beginner
In response to TedBarbour
‎2019-03-27 12:54 PM

I am using JDK 1.8.0_201 already on agent server. See below. Should I try other JDK version?

 

-bash-4.1$ echo $JAVA_HOME

/var/lib/nysid/sandbox/jdk1.8.0_201/

-bash-4.1$

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2019-03-27 01:38 PM

There was a support case 2 years where the agent API hit this same error, and they modified a config.xml file to push           TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256            to the top of the negotiation list as a kind of a hack to avoid this.  That cipher appears to have been deprecated somewhere around AM 8.2 SP1 or 8.3.  If you cannot configure JDK 1.8.0_201 to request a newer cipher, you could open a support case and ask about this 'unsupported' procedure.  What about TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, , can you use that with your JDK?

 

0 Likes
Reply
RajSinha
Beginner
Beginner
In response to JayGuillette
‎2019-03-27 04:58 PM

Thanks Jay.

 

Could you please specify where I can find conf.xml file to push TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 to the top of the negotiation list.

 

BTW, I looked into java.policy file (/jdk1.8.0_201/jre/lib/security) where I found cipher suite. Following is the commented code from java.policy:

 

  1. Per SSL/TLS specifications, cipher suites have the form:

  2. SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg

  3. or

  4. TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg

#

  1. For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the

  2. key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC

  3. mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest

  4. algorithm for HMAC.

#

  1. The LegacyAlgorithm can be one of the following standard algorithm names:

  2. 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA

  3. 2. JSSE key exchange algorithm name, e.g., RSA

  4. 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC

  5. 4. JSSE message digest algorithm name, e.g., SHA

 

Should I use TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 somewhere above?

 

Thanks,

Raj

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.