• RSA Authentication Manager 8.1 Service Pack Patch 15 with the Third Party Patch 2.0 updates OpenSSL on an authentication manager instance to version 0.9.8j-fips 07 Jan 2008 which is not capable of testing TLSv1.2 connectivity.
• RSA Authentication Manager 8.2 has OpenSSL version 0.9.8j-fips 07 Jan 2008 by default.

1. Logon to the SecurID Appliance with the rsaadmin account (either at the local console or with an SSH client where SSH is enabled in the Operation Console > Administration > Operating System Access > enable SSH).
2. Make a copy of the original openssl utility e.g. sudo mv /usr/bin/openssl /usr/bin/openssl.ORIG
3. Extract and copy the attached openssl into the /usr/bin folder and ensure the permissions are 755 (-rwxr-xr-x), where the owner is root and the group is root (root root).
4. Check version of openssl using the command /usr/bin/openssl version

rsaadmin@app81p:~> openssl version
OpenSSL 1.0.2d 9 Jul 2015
rsaadmin@app81p:~>

• <fully-qualified-hostname> fully qualified hostname of the authentication manager instance e.g. app81p.csau.ap.rsa.net
• <port-number> TCP port number e.g. 7004
• <parameter> can be -ssl3 just use SSLv3 | -tls1 just use TLSv1 | -tls1_1 just use TLSv1.1 | -tls1_2 just use TLSv1.2

rsaadmin@app81p:~> openssl s_client -connect app81r.csau.ap.rsa.net:7004 -tls1_2
CONNECTED(00000003)
depth=1 CN = RSA root CA for app81p.csau.ap.rsa.net, serialNumber = 3ea60e8b3502f5846afd52f4c295e02bc1ebd09f22ad83f5de4bc225ae44bacf
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/CN=app81r.csau.ap.rsa.net/serialNumber=e6206b1164137d8bc40a2df71980fee368938d02d078b3e21074653e731ec25b
   i:/CN=RSA root CA for app81p.csau.ap.rsa.net/serialNumber=3ea60e8b3502f5846afd52f4c295e02bc1ebd09f22ad83f5de4bc225ae44bacf
 1 s:/CN=RSA root CA for app81p.csau.ap.rsa.net/serialNumber=3ea60e8b3502f5846afd52f4c295e02bc1ebd09f22ad83f5de4bc225ae44bacf
   i:/CN=RSA root CA for app81p.csau.ap.rsa.net/serialNumber=3ea60e8b3502f5846afd52f4c295e02bc1ebd09f22ad83f5de4bc225ae44bacf
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDgjCCAmqgAwIBAgIQSMEcZC7ZvAbSkTlKENsYmzANBgkqhkiG9w0BAQUFADB8
MS8wLQYDVQQDDCZSU0Egcm9vdCBDQSBmb3IgYXBwODFwLmNzYXUuYXAucnNhLm5l
dDFJMEcGA1UEBRNAM2VhNjBlOGIzNTAyZjU4NDZhZmQ1MmY0YzI5NWUwMmJjMWVi
ZDA5ZjIyYWQ4M2Y1ZGU0YmMyMjVhZTQ0YmFjZjAeFw0xNTAyMjUwMDA1MDVaFw0z
NTAyMjYwMDA1MDVaMGwxHzAdBgNVBAMMFmFwcDgxci5jc2F1LmFwLnJzYS5uZXQx
STBHBgNVBAUTQGU2MjA2YjExNjQxMzdkOGJjNDBhMmRmNzE5ODBmZWUzNjg5Mzhk
MDJkMDc4YjNlMjEwNzQ2NTNlNzMxZWMyNWIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCq8LTcOt4ojhC6SGak503Y9l4PHW4MRC4tFO/f0m/yTazLCQnl
wrekdILv/MhVNiTgSURcJWASgP/zwPy1aKu7rFi01l7lYOJ9gbUl/9fVGGgklNLX
0PJJcqErlt6GXF6G0MSN5Rd1cu3vY/6Mr8TZOZ31LR2ZA4ZRUGSjemSeCf3PqxuU
nIEg6gXivV90F697Cdci47T1xGJAhQ6yRlOrjtvFQ289xiEZvenI3Y56WWRXZa65
i0hkNAQAiBplxCwrmARmU7SSp994nDPwxuICV5z9zrWXsc92k9ZRybsLeUvjc4NA
rq1v+GqW4dB/o6++/tiYJ2bO4XbdXtWxZ7rlAgMBAAGjEDAOMAwGA1UdEwEB/wQC
MAAwDQYJKoZIhvcNAQEFBQADggEBAAik5UjdTruxtWMt+2ovleyc4IY536KLmnUC
P+q2eM6KjUL8iDi7VUhydjNHtGGQcLhSFO7qwGoIvEg5jN6ci2MXCjH5/s8NhWBZ
AxnQlA6S/BEBZRbfKZ40JjxubXHR0H/g9k9vF3Rth5zO+3xo2hFwEA8ULkGF60uE
owLoJXoAlfx1rIAvASHVH14sTsSYWyrg1PA7cEOmpOgheCJ2e5Yj4hQlHVO9DPDD
N8Psw2iMKTdjxhEH+qkgl3SmqKqm7CkUAsSnY9Ws+uNnvlIeRvqEBY1Wysryt5wW
5QWaqgVERHDH6Hoz7E2ipczJ/z5NN4MIlshDtAf0b2om/F6btn4=
-----END CERTIFICATE-----
subject=/CN=app81r.csau.ap.rsa.net/serialNumber=e6206b1164137d8bc40a2df71980fee368938d02d078b3e21074653e731ec25b
issuer=/CN=RSA root CA for app81p.csau.ap.rsa.net/serialNumber=3ea60e8b3502f5846afd52f4c295e02bc1ebd09f22ad83f5de4bc225ae44bacf
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2319 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 57888979ED31AF1CB3858B681617413D9F4A441A5253412053534C4A20202020
    Session-ID-ctx:
    Master-Key: C465B930304527819EF3F8CC33F59A1FF22357E1023FAA8A62EA6F150E9CC77905721E6634A3F9CBE827F4EA53035BE4
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1468565882
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

rsaadmin@app82p:~> openssl s_client -connect app82p.csau.ap.rsa.net:7004 -ssl3
CONNECTED(00000003)
26144:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:283:
rsaadmin@app82p:~>

rsaadmin@am81primary:/opt/rsa/am/utils> ./configure_tls12_mode.sh --enable
Jul 15 2016 17:06:17 AEST :  ********* Enable TLSv1.2 configurations in RSA Authentication Manager Server - Begin *********
Jul 15 2016 17:06:17 AEST :  Stopping RSA Authentication Manager Services
Stopping RSA RADIUS Server: **
RSA RADIUS Server                                          [SHUTDOWN]
Stopping RSA Runtime Server: ***
RSA Runtime Server                                         [SHUTDOWN]
Stopping RSA Console Server: *
RSA Console Server                                         [SHUTDOWN]
Stopping RSA Database Server: **
RSA Database Server                                        [SHUTDOWN]
Stopping RSA RADIUS Server Operations Console: **
RSA RADIUS Server Operations Console                       [SHUTDOWN]
Stopping RSA Administration Server with Operations Console: *
RSA Administration Server with Operations Console          [SHUTDOWN]
RSA Database Server                                        [SHUTDOWN]
RSA Administration Server with Operations Console          [SHUTDOWN]
RSA RADIUS Server Operations Console                       [SHUTDOWN]
RSA Runtime Server                                         [SHUTDOWN]
RSA RADIUS Server                                          [SHUTDOWN]
RSA Console Server                                         [SHUTDOWN]

Jul 15 2016 17:06:44 AEST :  *** Backing up configuration files to make changes
Jul 15 2016 17:06:44 AEST :  *** Applying TLS configurations to /opt/rsa/am/server/config/config.xml
Jul 15 2016 17:06:44 AEST :  TLS configurations exist in /opt/rsa/am/server/config/config.xml, no changes required
Jul 15 2016 17:06:44 AEST :  TLS configurations exist in /opt/rsa/am/server/config/config.xml, no changes required
Jul 15 2016 17:06:44 AEST :  TLS configurations exist in /opt/rsa/am/server/config/config.xml, no changes required
Jul 15 2016 17:06:44 AEST :  File permissions remain same, permissions of /opt/rsa/am/server/config/config.xml before and after changes are 644 and 644
Jul 15 2016 17:06:44 AEST :  *** Applying TLS configurations to Wrapper files in /opt/rsa/am/server/wrapper
Jul 15 2016 17:06:44 AEST :  TLS configurations -Dcom.rsa.requiredProtocols exist in AdminServerWrapper.conf, no changes required
Jul 15 2016 17:06:44 AEST :  TLS configurations -Dcom.rsa.requiredProtocols exist in ConsoleServerWrapper.conf, no changes required
Jul 15 2016 17:06:44 AEST :  TLS configurations -Dcom.rsa.requiredProtocols exist in RadiusOCServerWrapper.conf, no changes required
Jul 15 2016 17:06:44 AEST :  TLS configurations -Dcom.rsa.requiredProtocols exist in /opt/rsa/am/server/wrapper/BiztierServerWrapper.conf, no changes required
Jul 15 2016 17:06:44 AEST :  TLS configurations -Dcom.rsa.oa.requiredProtocols exist in /opt/rsa/am/server/wrapper/BiztierServerWrapper.conf, no changes required
Jul 15 2016 17:06:44 AEST :  TLS configurations -Dcom.rsa.oa.requiredCiphers exist in /opt/rsa/am/server/wrapper/BiztierServerWrapper.conf, no changes required
Jul 15 2016 17:06:44 AEST :  File permissions remain same, permissions of /opt/rsa/am/server/wrapper/BiztierServerWrapper.conf before and after changes are 400 and 400
Jul 15 2016 17:06:44 AEST :  *** Updating /opt/rsa/am/rsapgdata/postgresql.conf
Jul 15 2016 17:06:44 AEST :  postgres.conf contains value \!DH:\!ECDSA:TLSv1.2+HIGH+RSA:TLSv1.2+HIGH:@STRENGTH for ssl_ciphers, no changes required
Jul 15 2016 17:06:44 AEST :  Starting RSA Authentication Manager Services
Starting RSA Administration Server with Operations Console:
Starting RSA Database Server: ***************
RSA Administration Server with Operations Console          [RUNNING]
Starting RSA RADIUS Server Operations Console: - RSA Database Server                                        [RUNNING]                                                ***************
RSA RADIUS Server Operations Console                       [RUNNING]
Starting RSA Runtime Server: *******************|^CRSA Database Server                                        [SHUTDOWN]
RSA Administration Server with Operations Console          [RUNNING]
RSA RADIUS Server Operations Console                       [RUNNING]
RSA Runtime Server                                         [RUNNING]
RSA RADIUS Server                                          [SHUTDOWN]
RSA Console Server                                         [SHUTDOWN]

Jul 15 2016 17:09:00 AEST :  ********* TLSv1.2 enabled in RSA Authentication Manager Server - End *********
rsaadmin@am81primary:/opt/rsa/am/utils>