Symantec Identity Manager - RSA Connector is still using SSLv2Hello after remediation
search cancel

Symantec Identity Manager - RSA Connector is still using SSLv2Hello after remediation

book

Article ID: 250984

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager

Issue/Introduction

The RSA Connector is using supported versions SSLv2Hello and TLSv1.2 which is causing a communication issue as RSA is restricted to only use TLSv1.2.

The output should be

"supported_versions (43)": {
      "versions": [TLSv1.2]
    }

but instead, it is showing 

"supported_versions (43)": {
      "versions": [TLSv1.2, SSLv2Hello]
    }

See the Additional Information Section for enabling verbose to capture the SSL supported versions being presented.

Environment

Release : 14.4.1CHF2

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Resolution

Open a support case and request HF-DE535622.zip or upgrade to 14.4CP2 if it is available

Additional Information

For additional SSL related troubleshooting, we can enable SSL related logging for the JCS service.

In Windows based deployment, this is done by editing the registry and adding

-Djavax.net.debug=ssl:handshake:verbose

to the startup parameter via the registry key Options

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ComputerAssociates\Identity Manager\Procrun 2.0\im_jcs\Parameters\Java

In Linux based deployment, this is done by adding -Djavax.net.debug=ssl:handshake:verbose to  ../bin/im_jcs

The jcs_service_stdout.log should include additional SSL related details which could be used for troubleshooting

Other Useful Links:

https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html

https://access.redhat.com/solutions/973783

 

Powered by Wolken Software