Authentication Manager How to Enable or Disable Strict TLS 1.2 Mode in RSA Authentication Manager 8.x Using the CLI
2 days ago
Originally Published: 2016-06-16
Article Number
000067842
Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition:  8.x (AM 8.1 SP1 P3 up to AM 8.7 SP2 P6) 

Note: AM 8.8 introduces support for TLSv.1.3, with new control syntax

Issue

The Payment Card Industry Data Security Standard (PCI DSS) has recommended using Transport Layer Security (TLS) 1.2 for secure network communications since 2016. Starting with RSA Authentication Manager 8.1 SP1 P3, deployments support Strict TLS mode, which restricts all communication to TLS 1.2 only — preventing negotiation down to SSLv3, TLS 1.0, or TLS 1.1. The Strict TLS syntax introduced in AM 8.2 remains in use through AM 8.7 SP2 P6, and must be re-enabled after each patch upgrade.

 

ℹ️ NOTE: AM 8.8 introduces support for TLS 1.3 with new control syntax. This article applies to AM 8.1 SP1 P3 through AM 8.7 SP2 P6 only.

 

Prerequisites:

  • The rsaadmin operating system password for the primary instance and each replica instance
  • SSH must be enabled on every appliance in your deployment

Updating the primary instance automatically updates the webtier, but restarting the webtier is required for the changes to take effect.

 

Tasks

This article covers the following tasks:

Task 1: Enable Strict TLS 1.2

  • Action: Restricts deployment to TLS 1.2 only.
  • Key Details: Disables SSLv3, TLS 1.0, and TLS 1.1.

Task 2: Disable Strict TLS 1.2

  • Action: Re‑enables TLS 1.0 and TLS 1.1 support.
  • Key Details: Use this option when compatibility with older clients is required.

 

Resolution

Task 1: Enable Strict TLS 1.2 Mode

Step 1: Log on to the Authentication Manager appliance as rsaadmin using one of the following methods:

  • Hardware appliance: Use an SSH client
  • VMware virtual appliance: Use an SSH client or the VMware vSphere Client
  • Hyper-V virtual appliance: Use an SSH client, the Hyper-V Virtual Machine Manager Console, or the Hyper-V Manager

Step 2: Navigate to the /opt/rsa/am/utils directory:

cd /opt/rsa/am/utils

Step 3: Run the following command to enable Strict TLS 1.2 mode: 

./rsautil store -a enable_min_protocol_tlsv1_2 true restart

Step 4 (Optional — Manual Restart): If you chose to restart services manually, navigate to /opt/rsa/am/server and run:

cd /opt/rsa/am/server
./rsaserv restart all

Step 5: Repeat Steps 1–4 for each replica instance in your deployment.

Step 6: Restart the web tier:

  • Windows server: Open Windows Services and restart the web tier services
  • Linux server: Navigate to RSA_WT_HOME/webtierBootstrapper/server and run:
./rsaserv restart all

 

Step 7 (Verification): Confirm that SSLv3, TLS 1.0, and TLS 1.1 connections are rejected by the appliance. Attempt a test connection using a TLS 1.1 client — the connection should fail, confirming Strict TLS 1.2 mode is active.

 

Task 2: Disable Strict TLS 1.2 Mode

Step 1: Log on to the Authentication Manager appliance as rsaadmin using one of the following methods:

  • Hardware appliance: Use an SSH client
  • VMware virtual appliance: Use an SSH client or the VMware vSphere Client
  • Hyper-V virtual appliance: Use an SSH client, the Hyper-V Virtual Machine Manager Console, or the Hyper-V Manager

Step 2: Navigate to the /opt/rsa/am/utils directory:

cd /opt/rsa/am/utils

Step 3: Run the following command to disable Strict TLS 1.2 mode and re-enable support for TLS 1.0 and TLS 1.1:

./rsautil store -a enable_min_protocol_tlsv1_2 false restart

Step 4 (Optional — Manual Restart): If you chose to restart services manually, navigate to /opt/rsa/am/server and run:

cd /opt/rsa/am/server
./rsaserv restart all

Step 5: Repeat Steps 1–4 for each replica instance in your deployment.

Step 6: Restart the web tier:

  • Windows server: Open Windows Services and restart the web tier services
  • Linux server: Navigate to RSA_WT_HOME/webtierBootstrapper/server and run:
./rsaserv restart all

Step 7 (Verification): Confirm that TLS 1.0 and TLS 1.1 connections are now accepted by the appliance. Attempt a test connection using a TLS 1.1 client — the connection should succeed, confirming Strict TLS 1.2 mode has been disabled.

 

    Notes
    • Re-enable After Patching: Strict TLS 1.2 mode must be re-enabled after each patch or upgrade for AM 8.6 and all subsequent patches. After completing an upgrade, repeat the enable procedure in Task 1 above.
    • AM 8.8 and Later: AM 8.8 introduces support for TLS 1.3 with new control syntax. The steps in this article do not apply to AM 8.8 or later. Refer to the AM 8.8 release documentation for updated TLS configuration instructions.
    • Known Limitations: For a full list of known limitations when running in Strict TLS 1.2 mode — including impacts on trusted realm authentication — refer to Limitations of strict TLS 1.2 mode
    

    Verified in RSA Labs icon.png
    Related Articles
    Trending Articles
    Don't see what you're looking for?