How to close ports used by the RSA Authentication Agent to block SSLv3 communication to RSA Authentication Manager 8.x
Originally Published: 2016-08-20
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1 P13 or later
Issue
Port 5550/TCP: Used for communication with authentication agents that are attempting to register with Authentication Manager.
Port 5580/TCP: Used to receive requests for additional offline authentication data, and send the offline data to agents. Also used to update server lists on agents.
Some vulnerability scanners report that these ports are susceptible to SSLv3 vulnerabilities.
To pass compliance audits, customers have been required to close those ports.
Resolution
- Log on to the Authentication Manager primary using SSH client or direct connection.
- Change to the root user with sudo.
- Enter the following commands:
sudo su root /opt/rsa/am/utils/bin/appliance/configureFirewall.sh close rsaserv-aps inet,tcp,5580 inet,tcp,5550 /opt/rsa/am/utils/bin/appliance/configureFirewall.sh open rsaserv-aps inet,tcp,5580 inet,tcp,5550
- Repeat steps 1 - 3 for each RSA Authentication Manager server in your deployment.
C:\OpenSSL-Win64\bin>openssl.exe s_client -connect <IP Address>:5500 -ssl3 connect: No such file or directory connect:errno=0 C:\OpenSSL-Win64\bin>openssl.exe s_client -connect <IP Address>:5580 -ssl3 connect: No such file or directory connect:errno=0If they are open then they return the server certificate information.
C:\OpenSSL-Win64\bin>openssl.exe s_client -connect <IP Address>:5580 -ssl3
CONNECTED(000000E8)
6872:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:362:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1471661883
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Warning: Do not close the ports if these features are essential to your deployment.
Related Articles
Workday - SAML My Page SSO Configuration - RSA Ready Implementation Guide Number of Views Admin Error Notification Rule will send any type of errors in RSA Governance & Lifecycle Number of Views Configure Report Notification Number of Views Weak Certificate Signature Hashing Algorithm on TCP ports 5550 & 5580, CVE-2004-2761, CVE-2005-4900 Number of Views How to Manually Upload Files and Recreate the Securty Analytics 10.X YUM Repository Number of Views
Trending Articles
How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle RSA SecurID Software Token 5.0.2 for Windows Desktop displays message after reboot due to roaming profile: No token stor… RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Downloading RSA Authentication Manager license files or RSA Software token seed records RSA Release Notes for RSA Authentication Manager 8.8
Don't see what you're looking for?
