RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x, AM 8.1 SP1 P3 up to AM 8.7 SP2 P6
Note: AM 8.8 introduces support for TLSv.1.3, with new control syntax
The Payment Card Information Data Security Standard (PCI DSS) have since 2016 recommended using the Transport Layer Security (TLS) 1.2 cryptographic protocol for secure network communications.
Starting with RSA Authentication Manager 8.1 SP1 P3, deployments support the use of TLS 1.2, [impacting trusted realm authentication].
AM 8.1 SP1 P13 introduced the concept or 'Strict' TLS mode, where only TLS ver. 1.2 is allowed on an AM appliance. Syntax was refined for Strict TLS with AM ver. 8.2. That syntax remains up to AM 8.7 SP2 P6, including the need to re-enable Strict TLS after patching.
Enable or disable strict TLS 1.2 mode according to the procedures below, on the primary instance and each replica instance.
Updating the primary instance automatically updates the web tier, but restarting the web tier is required for the changes to take effect.
This article addresses how to enable 'Strict' TLS 1.2 mode in RSA Authentication Manager 8.x so that SSLv3, TLS 1.0 and TLS 1.1 are not allowed to be negotiated down.
- Log on to the appliance with the rsaadmin user ID and the current operating system password:
- On a hardware appliance, log on to the appliance using an SSH client.
- On a virtual appliance, log on to the appliance using an SSH client, the VMware vSphere client, the Hyper-V Virtual Machine Manager Console, or the Hyper-V Manager.
- Change directories to /opt/rsa/am/utils.
- Run the commands listed below. Note: To restart all of your RSA Authentication Manager services later, you must remove restart from the following commands:
- To enable strict TLS 1.2 mode, type:
./rsautil store -a enable_min_protocol_tlsv1_2 true restart
- To disable strict TLS 1.2 mode so that your deployment can support SSL 3.0, TLS 1.0, and TLS 1.1, type:
./rsautil store -a enable_min_protocol_tlsv1_2 false restart
- (Optional) If you decided to manually restart all RSA Authentication Manager services, do the following:
- Change directories to /opt/rsa/am/server.
- Type:
./rsaserv restart all
- Repeat steps 1 - 4 for each Authentication Manager instance in your deployment.
- Restart the web tier.
- On the web tier server, go to the RSA_WT_HOME/webtierBootstrapper/server directory, where RSA_WT_HOME is the web-tier installation directory.
- On a Windows server, launch Windows services then restart the web tier services.
- On a Linux server, type the following command:
./rsaserv restart all
Refer to the article entitled Limitations of strict TLS 1.2 mode in RSA Authentication Manager 8.x for more information.
Related Articles
Get the external Identity Source LDAPS certificate using openssl for RSA Authentication Manager 8.x Number of Views Unable to login to RSA Authentication Manager Security Console as super admin Number of Views Unable to add or manage user in RSA Authentication Manager; getting the error: The specified ID is already in use by unre… Number of Views Details on RSA SecurID tokens and RSA Authentication Manager licenses Number of Views RSA Release Notes: Cloud Access Service and RSA Authenticators Number of Views
Trending Articles
How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle Troubleshooting AFX Connector issues in RSA Identity Governance & Lifecycle RSA Release Notes for RSA Authentication Manager 8.8 RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026)
