Article Number
000001277
Applies To
RSA Product Set: RSA NetWitness Logs & Network
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.4.x and 11.5.x
Issue
After upgrading to RSA NetWitness 11.4 or later Active Directory is no longer connected over SSL when using a DH key length less than 2048.
/var/lib/netwitness/uax/logs/sa.log:
ERROR com.rsa.smc.sa.admin.web.controller.ajax.AuthenticationProviderController - Test connection failed
com.rsa.asoc.launch.api.transport.client.TransportClientException: Accepted DH prime length is 2048 or higher
at com.rsa.asoc.launch.api.transport.client.ClientResponseUtils.handleError(ClientResponseUtils.java:99)
at com.rsa.asoc.launch.api.transport.client.AmqpTransportClient.doSendAndReceive(AmqpTransportClient.java:118)
at com.rsa.asoc.launch.api.transport.client.AmqpTransportClient.send(AmqpTransportClient.java:69)
Active Directory users are no longer able to login. When testing the connection in
Admin > Security > Settings > Under
Active Directory Configurations, select the AD instance and click on the
Test button:
Image description
Cause
In RSA NetWitness 11.4, we upgraded our BSAFE libraries to comply with FIPS, as a result, we now require using a DH key length of 2048 to establish SSL/TLS connections.
Resolution
We recommend upgrading the DH key length of the Active Directory to 2048 or greater to establish the SSL/TLS connection. A DH key length of 1024 is no longer FIPS compatible.
The following reference is where to configure a DH key length from Microsoft, the advisory is configuring a 1024 DH key whereas we are suggesting 2048: