Article Number
000032846
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP 1 patch 13
Issue
Secure Sockets Layer (SSL) connections use a protocol such as SSL version 3 or TLS version 1, and they use a cipher, such as RC4.
RSA Authentication Manager products generally;
- No longer use the older SSL2.
- Still allow SSL3, unless disabled with RSA Authentication Manager SP1 patch 13, the TLS patch.
- Prefer or default to using TLS version 1 (aka TLS1) starting with RSA Authentication Manager 8.1 SP1 patch 2.
One immediate problem with RSA Authentication Manager 8.1 SP1 patch 13 is that while the WebLogic server embedded in RSA Authentication Manager supports TLS1_2, the openssl utility included in the SUSE Linux distribution does not. If you use openssl to test that the RSA Authentication Manager server works (and prevents other protocols such as SSL version 3 or TLS version 1), you have to test from another platform, not from the RSA Authentication Manager server itself.
This article shows how to verify that the TLS 1.2 configuration is working correctly, and shows some useful testing and troubleshooting techniques using the openssl utility.
Task
Find and use openssl 1.0.1, which is not in the SUSE Linux distribution that is provided with RSA Authentication Manager 8.1 SP1 patch 13 and earlier.
Resolution
The openssl version will display the version of your openssl distribution.
- On an RSA Authentication Manager 8.1 SP1 patch 13 or earlier version of the RSA SecurID appliance which included version 0.98, which does not support TLS1_2, you will see:
rsaadminam81p~> openssl version
OpenSSL 0.9.8j-fips 07 Jan 2009
rsaadminam81p~>
- Many later versions of Red Hat or Ubuntu include a later version of openssl, such as 1.0.1:
[root@rh81wt !]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@rh81wt !]#
You can force openssl s_client to request a specific protocol such as TLS version 1.2 with the
-tls1_2 switch. In this example, 192.168.2.30 is an RSA Authentication Manager 8.1 SP1 patch 13 appliance and :7004 is the port for the Security Console and Self-Service Console:
rsaadminam81p~>openssl s_client -connect 192.168.2.30:7004 -tls1_2
unknown option -tls1_2
usage: s_client args
-host host - use -connect instead
-port port - use -connect instead
You will see a syntax error with openssl version 0.98 because TLS1.2 is not supported, so the -tls1_2 switch is an unknown option. The same command with openssl version 1.0.1 or later works, the option is known and recognized.
[root@rh81wt !]# openssl s_client -connect 192.168.2.30:7004 -tls1_2
CONNECTED (00000003)
depth=1 CN = RSA root CA for am81p.vcloud.local, serialNumber-2660b7301e756f1418b6cb8fb3145ff0b32d296f0f21f901cfe65ae486701349
Verify error:num-19:self signed certificate in certificate chain
verify return:0
140401050306376:error:100AE081:elliptic curve routine:EC_GROUP_new by_curve_name:unknown group:ec_curve.c:316:
140401050306376:error:1408D010:SSL routines:SSL3_GET_KEY_EXCHNGE:EC lib:s3_clnt.c:1641:
---
certificate chain
Scroll down to see:
server public key is 2048 bit
Secure Renegotiation is supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Notes
Enabling TLS1_2 mode on RSA Authentication Manager 8.1 SP1 patch 13 and later servers requires that RSA Authentication Agents for Windows that require autoregistration and offline data also be upgraded to RSA Authentication Agents for Windows 7.3 or later.
Some openssl syntax examples:
openssl version
1.0.1 supports up to TLS ver. 1.2,
openssl s_client -connect 192.168.2.30:7004
openssl s_client -connect 192.168.2.30:7004 -ssl3
openssl s_client -connect 192.168.2.30:7004 -tls1
openssl s_client -connect 192.168.2.30:7004 -tls1_1
openssl s_client -connect 192.168.2.30:7004 -tls1_2
openssl s_client -connect 192.168.2.30:7004 -showcerts
See
000032627 - How to export RSA Authentication Manager 8.0 and 8.1 Web Tier Virtual Host Key Pair to a PFX file.
