Unsupported ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
I am running sample rsa agent code in our liferay portal server(Linux). While running app, it seems agent connecting to AM (manager) but at end getting following error:
08:38:52,354 ERROR com.rsa.authagent.authapi.v8.logger.b:? - Error in initial AuthnReq/Rsp for serverTime.Error in processing Authn request: Unsupported ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Can't create api: com.rsa.authagent.authapi.AuthAgentException: Error in initial AuthnReq/Rsp for serverTime.Error in processing Authn request: Unsupported ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
I have following entry into rsa_api.properties:
# Provide the Agent Version - default value is 'UnKnown'
RSA_AGENT_VERSION = 7.1
Following is my RSAAuthUserBean class where I am trying to create rsa agent api. Above exception occurred while creating api (api = AuthSessionFactory.getInstance(path))
public RSAAuthUserBean() throws Exception
private AuthSessionFactory api = null;
io = new ConsoleIO();
String path = "/var/lib/nysid/bundles/tomcat-7.0.42/webapps/rsaLogin/WEB-INF/rsa_api.properties";
api = AuthSessionFactory.getInstance(path)
catch (AuthAgentException e)
io.outputLn("Can't create api: " + e.getMessage());
Any help would be highly appreciated.
- Auth Agent
- Authentication Agent
- cipher suite
- Community Thread
- Forum Thread
- RSA SecurID
- RSA SecurID Access
Thanks for your reply.
RSA_AGENT_VERSION = 7.1
Auth Manager version: Server release = 8.3.0 P 04.0
RSA Authentication SDK version : 184.108.40.206.0
Please mention if above aren’t asked info?
I am using JDK 1.8.0_201 already on agent server. See below. Should I try other JDK version?
-bash-4.1$ echo $JAVA_HOME
There was a support case 2 years where the agent API hit this same error, and they modified a config.xml file to push TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 to the top of the negotiation list as a kind of a hack to avoid this. That cipher appears to have been deprecated somewhere around AM 8.2 SP1 or 8.3. If you cannot configure JDK 1.8.0_201 to request a newer cipher, you could open a support case and ask about this 'unsupported' procedure. What about TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, , can you use that with your JDK?
Could you please specify where I can find conf.xml file to push TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 to the top of the negotiation list.
BTW, I looked into java.policy file (/jdk1.8.0_201/jre/lib/security) where I found cipher suite. Following is the commented code from java.policy:
Per SSL/TLS specifications, cipher suites have the form:
For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
algorithm for HMAC.
The LegacyAlgorithm can be one of the following standard algorithm names:
1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
2. JSSE key exchange algorithm name, e.g., RSA
3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
4. JSSE message digest algorithm name, e.g., SHA
Should I use TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 somewhere above?