Blog Viewer

Tech Tip - CA Privileged Access Manager: PAM 3.0.1 A2A UNIX client not working after disabling TLS 1.0 and 1.1

By Ralf Prigl posted 04-27-2018 06:29 PM

  

Issue

After disabling the "TLS v1.0/1.1 Connection Allowed" option on the Configuration > Security > Access page, our Linux A2A clients no longer work. It looks like they are not using TLS 1.2 when connecting to the PAM server by default.

 

Cause

The Linux A2A version 4.13 for PAM 3.0.1 comes with a JRE 7 version that by default uses TLS 1.0 to connect to secure web servers. The A2A client does not overwrite the default.

 

Resolution

The problem will not be observed after upgrading PAM and the A2A client to version 3.1.1 or higher. The 3.1.1 A2A client includes a JRE 8 version that uses TLS 1.2 by default. If you have to remain at 3.0.X, you can resolve the problem by adding option "-Dhttps.protocols=TLSv1.2" to the java options in the cspmclient/bin/cspmclientd script on line 64. The difference between modified and original script should look like this:

[root@prira01-U163106 bin]# diff cspmclientd cspmclientd.orig
64c64
<       -Djava.net.preferIPv4Stack=true -Dsun.net.inetaddr.ttl=0 -Dsun.net.inetaddr.negative.ttl=0 -Dhttps.protocols=TLSv1.2 \
---
>       -Djava.net.preferIPv4Stack=true -Dsun.net.inetaddr.ttl=0 -Dsun.net.inetaddr.negative.ttl=0 \

0 comments
3 views