Enable Strict TLS 1.2 Mode
The Payment Card Information Data Security Standard (PCI DSS) recommends using the Transport Layer Security (TLS) 1.2 cryptographic protocol for secure network communications. By default, 8.2 or later deployments use TLS 1.2, however TLS 1.0 and TLS 1.1 are also supported. supports a strict TLS mode that only uses TLS 1.2 for communication within your deployment.
You can enable and disable the strict TLS 1.2 mode. To do so, perform the following procedure on the primary instance and each replica instance. Updating the primary instance automatically updates the web tier, but restarting the web tier is required for the changes to take effect.
Before you begin
Obtain the rsaadmin operating system password for the primary instance and each replica instance.
Secure shell (SSH) must be enabled on every appliance in your deployment. For instructions, see Enable Secure Shell on the Appliance.
Procedure
Log on to the appliance with the User ID rsaadmin and the current operating system password:
On a hardware appliance, an Amazon Web Services appliance, or an Azure appliance, log on to the appliance using an SSH client.
On a VMware virtual appliance, log on to the appliance using an SSH client or the VMware vSphere client.
On a Hyper-V virtual appliance, log on to the appliance using an SSH client , the Hyper-V Virtual Machine Manager Console, or the Hyper-V Manager.
Change directories to /opt/rsa/am/utils.
Run the command. To restart all of your RSA Authentication Manager services later, you must remove restart from the following commands:
To enable strict TLS 1.2 mode, type:
./rsautil store -a enable_min_protocol_tlsv1_2 true restart
To disable strict TLS 1.2 mode so that your deployment can support TLS 1.0 and TLS 1.1, type:
./rsautil store -a enable_min_protocol_tlsv1_2 false restart
(Optional) If you decided to manually restart all of your RSA Authentication Manager services, do the following:
Change directories to /opt/rsa/am/server.
Type:
./rsaserv restart all
Repeat the steps for each Authentication Manager instance in your deployment.
After you finish
Restart the web tier.
Note: For Authentication Manager 8.6 and all subsequent patches or upgrades, you should enable Strict TLS mode again after the upgrade by following the procedure outlined above.
Note: This article is applicable only for AM 8.7 SP2 Px and lower deployments.
Related Articles
Limitations of strict TLS 1.2 mode in RSA Authentication Manager 8.x Number of Views "Enable Strict TLS 1.2 Mode" changes to disabled after installing the RSA Authentication Manager 8.6 patches Number of Views After installing patches to RSA Authentication Manager 8.6, the option to enable strict TLS 1.2 mode changes to disabled. Number of Views UPDATE 2: RSA Via LG Integrations with Salesforce Using TLS 1.0 Encryption Protocol Number of Views windows eventing Access Denied Error 401 Number of Views
Trending Articles
How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle Troubleshooting AFX Connector issues in RSA Identity Governance & Lifecycle RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026)
