This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

How to understand SSL protocols and ciphers in Authentication Manager 8.x

Article Number

000034885

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.1

Issue

Authentication Manager supports various SSL protocols such as TLS versions 1.1, 1.0, and 1.2, aka TLS1_0, TLS1_1 and TLS1_2 depending on the specific version of Authentication Manager, but also supports limiting or blocking some of these protocols, especially the older ones.  In Authentication Manager 8.2 RSA  also stopped support for ciphers that use RC4 algorithms.  

Customers are trying to figure out if they need to enforce strict TLS1_2 mode in order to gain support for TLSv1.2, in Authentication Manager, the Self-Service Console, on the Web Tiers, as well as with integrations with API tools like Authentication Manager Prime and Authentication Manager Integration Service (AMIS).  This would also affect SecurID software token distributions to Apple iOS devices since the new App Transport Security (ATS) feature was released in January 2017 that requires SSL connections, such as CT-KIP, to use only TLSv1.2 with SHA2 signed certificates.

Task

Upgrade information

  • If you need support for TLS version 1.2 SSL protocol, then upgrade to at least Authentication Manager 8.1 SP1 P3.
  • If you need to prevent SSL protocols that a less than TLSv1.2, you need to patch at least to Authentication Manager 8.1 SP1 P13 and run the strict TLS1_2 enable script.
  • If you need to prevent the use of RC4 ciphers, upgrade to at least Authentication Manager 8.2.
  • When you have Apple iOS devices that use CT-KIP and App Transport Security has been implemented, you DO NOT need strict TLS.  You only need support for TLS (and SHA2 signed certificates).  See this blog post by Jeffrey Carpenter, RSA Product Marketing Manager, entitled ATTN: RSA SecurID Customers..Apple iOS ATS Issue and What to Do About It.
 

Enabling strict TLS

You enable strict TLS when your security scan flags insecure SSL protocols and your policy dictates they must be eliminated. Beware that there are implications when you do this.  For example, older Windows clients that do not support TLSv1.2 will not work, and this could affect RSA RADIUS in Authentication Manager 8.1 SP1.  If your scan flags insecure RC4 ciphers then plan your upgrade to Authentication Manager 8.2 to address that.
 

Viewing available ciphersuites

You can see RSA ciphersuites in the opt/rsa/am/server/config/config.xml, which has a section for various servers and the biztier server which control the RSA consoles.

If you look at this server's <ssl> section, you can see a list of ciphersuites.  Older Authentication Manager 8.0 or 8.1 servers will list ciphersuites such as TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_AES_256_GCM_SHA256.

Newer Authentication Manager 8.2 servers will exclude all RC4 ciphers, and show ciphersuites such as TLS_ECDHE_WITH_AES_256_GCM_SHA384 and even TLS_RSA_WITH_AES_256_GCM_SHA256 for older browsers/clients, but not RC4, as shown: 

​<ssl>
<name>biztier</name>
<enabled>true</enabled>
​<ciphersuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
​<ciphersuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</ciphersuite>
​<ciphersuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_GCM_SHA256</ciphersuite>
​<ciphersuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_GCM_SHA384</ciphersuite>
​<ciphersuite>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</ciphersuite>
 

Authentication Manager version

You can check your version of Authentication Manager two ways:
  1. On the Security Console Home tab, click Software Version Information and look at the version listed.
  2. In the Operations Console select Maintenance > Update and Rollback.  The current version is listed towards the top of the page.


Use OpenSSL to verify presence of cipher or protocol

You can also use openssl to verify if a cipher or protocol is present.  Use one of the following commands: 

openssl s_client -connect 192.168.2.30:7004 -ssl3
or

openssl s_client -connect 192.168.2.30:7004 -cipher RC4-SHA

Resolution

Secure Sockets Layer (SSL) is a protocol developed by Netscape for transmitting private documents via the Internet.  It is based in part on asymmetric keys and the Public Key Infrastructure, PKI so that more efficient symmetric keys can securely be exchanged.

In general, and as you would expect, older protocols such as SSLv2 and SSLv3, are considered less secure or insecure.  Newer protocols, such as TLSv1.2 are considered more secure.

There are two issues here:

  1. When or in what Authentication Manager version is a protocol supported or available
  2. When and how can older protocols be prevented
Image descriptionImage description

Notes

Some errors related to mismatch between SSL client and SSL server as to protocols or ciphers include the following: 

ERR_SSL_PROTOCOL_ERROR
socket: Connection refused
connect:errno=111
This page can't be displayed
it is possible this site uses an unsupported protocol or cipher suite such as RC4
SSLv3 Record Layer: Alert (Level: Fatal, Description: Illegal Parameter)
 
Image descriptionImage description

See also:

0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-04-23 11:54 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.