Patching RSA Authentication Manager from 8.7 SP2 to Patch 3

Md. Mahim Bin Firoj
5 min readAug 31, 2024

--

Why we need to patch this? The RSA says that due to the radius vulnerability CVE-2024–3596 raised, you should immediately patch your AM instances if you are using radius feature on it.

Prerequisites:

  • Download the patch from this link. Go to this link https://community.rsa.com/s/all-downloads/rsa-securid-downloads and search for “RSA Authentication Manager 8.7 SP2 Patch 3 — Update Download”. You need a rsa partner account for this to download. Download it and unzip it. Put it in a place where both Authentication managers (AM primary and replica) can access it.
  • Patch should be applied against latest version so in our case both of our appliances version are 8.7 SP2.
  • The patch is irreversible so make sure you take snapshot or AM backup before proceed.
  • Check the replication status. It must be normal. From primary AM or replica AM operation console, Deployment Configuration > Instances > Status Report to check the replication status.
  • Do not let any schedule tasks on the AM to run before patching.
  • First you need to patch the primary instance then secondary instance.

Let’s begin the installation:

From the primary instance operation console, you need to navigate to Maintenance > Update & Rollback section.

Now click on Upload & Apply Update.

It will take some time to visible.

Click choose file
Locate the update
Now click on Upload
Upload process will start.

Now if you see that its not uploading or giving error or taking too much time than expected; then cancel the upload. You need to restart the services.

For that, access the primary instance via ssh using rsaadmin credentials. Then issue below command:

/opt/rsa/am/server/rsaserv restart all

Now try to upload. Once the upload is done, it will ask you for rsaadmin password to further process the update. Please provide that.

Click Apply

Now it will do some checks. After that it will apply update. You can see what it is doing in the backend by viewing “Advanced status view” tab.

Once it is done the system will take reboot to finally apply the update. I forgot to record when I was patching the primary AM, then I start recording at the time of patching secondary AM. That’s why i write down the primary AM url. The process is same for both.

Once done the mentioned url will be available for access. Access that url, it will ask you for primary AM operation console’s ocadmin username and password. Provide that and login.

Go here to check

As we can see that the update has been completed.

In this case you may face that the replication status between primary and replica AM is giving some error or still ok. It does not matter. You can go ahead to patch replica.

Replica Patch:

Now access the replica instance operation console. https://2fa-rep.gbpl.local:7072/operations-console (in your case the url will be different) and go to Maintenance > Update & Rollback.

By following the above same process, you can patch the replica instance. As it is almost same, so I am not showing that here.

Now when both the appliances are in same version after patch, this is time to check the replication status. From primary AM or replica AM operation console, go to Deployment Configuration > Instances > Status Report to check the replication status. It should be normal.

Now what this patch 3 brings? You need to change some radius configuration. RSA recommends that you “Enable the Message Authenticator Attribute Flag”. This will enforce the use of Message-
Authenticator attribute in all RADIUS authentication requests.

Note: Before enabling the message authenticator attribute flag, ensure your RADIUS client software version supports sending the message authenticator attribute in each RADIUS authentication request. The 3rd party product will announce it on their advisory. If after enabling this, your radius client fail to authenticate, then you need to again revert the changes that you are going to do now.

Access the operation console of primary instance using ocadmin credentials.

It will ask you for scadmin credentials.

Provide the credentials and click ok.

In this page you will be landed.

Now search for “&FreeRADIUS-Client-Require-MA =” (Without quotes). You will get 4 entries. Change the parameter from no to yes in each entry. After that click on Save & Restart RADIUS Server.

The same thing you need to do for your replica instance. You must perform the above procedure in each replica instance separately. And again if after changing this if something fails in radius authentication, then you need to revert this settings.

I hope this writeup is informative for you. Please subscribe below and share it with your network. Thank you.

LinkedIn:

https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/

YouTube:

https://www.youtube.com/@mahimfiroj1802/videos

--

--

No responses yet