on Nov 6, 2019Article Content
| Article Number | 000038111 |
| Applies To | RSA Product Set: SecurID RSA Product/Service Type: Authentication Manager RSA Version/Condition: 8.4 RSA Product/Service Type: Authentication Agent for Windows RSA Version/Condition: 7.3.3 |
| Issue | When RSA Authentication Manager administrators login to the Security Console and go to a user dashboard they get the following error message: There was a problem loading the page. Please click the refresh button on your browser. The Recent Authentication Activity panel is blank. Administrators cannot use dashboard anymore. The /opt/rsa/am/server/logs/imsTrace.log file shows the following errors: 2019-10-16 07:31:19,091, [OARequestHandler6], (ProofDaProcessor.java:21), trace.com.rsa.authmgr.internal.oa.engine.OAProcessor, WARN, rsa.abc.com,,,,Proof validation failed com.rsa.authmgr.internal.oa.OAException: Invalid proof at com.rsa.authmgr.internal.oa.engine.ProofDaProcessor.a(ProofDaProcessor.java:77) at com.rsa.authmgr.internal.oa.engine.ProofDaProcessor.doRun(ProofDaProcessor.java:43) at com.rsa.authmgr.internal.oa.engine.OAProcessor.run(OAProcessor.java:30) at com.rsa.authmgr.internal.oa.RequestReceiver.a(RequestReceiver.java:14) at com.rsa.authmgr.internal.oa.RequestReceiver$1.run(RequestReceiver.java:1) at com.rsa.ims.security.spi.SimpleSecurityContextImpl.doAs(SimpleSecurityContextImpl.java:80) at com.rsa.security.SecurityContext.doAs(SecurityContext.java:412) at com.rsa.authmgr.internal.oa.RequestReceiver.handleConnection(RequestReceiver.java:101) at com.rsa.authmgr.internal.common.server.TCPServer$TCPServerTask.run(TCPServer.java:689) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) at com.rsa.authmgr.internal.common.server.TCPServer$TCPServerThread.run(TCPServer.java:764) 2019-10-16 07:31:19,091, [OARequestHandler6], (OAProcessor.java:17), trace.com.rsa.authmgr.internal.oa.engine.OAProcessor, WARN, rsa.abc.com,,,,Unexpected exception during processing: DA_REQUEST_DATABASE_ERROR com.rsa.authmgr.internal.oa.OAException: Proof validation failed Authentication Activity Report_05646847.csv ERROR 23017 Offline Authentication Data Download Failed Offline authentication data download requested by user “abc5232” from agent “1234.corp.abc.com” using token “000406000000” failed with error message “Invalid proof” Failure The above error may appear from a single user a few thousand times. |
| Cause | The Authentication Activity report confirms that excessive requests for offline data are coming from a rogue machine. A few thousands of these requests reach RSA Authentication Manager per second which make the user dashboard not available. This is due to defect AAWIN-2421 (State of MT AAWin v. 7.3.3[103] agents get invalid proof every 1-2 seconds) in RSA Authentication Agent 7.4.0 and 7.3.3[99] for Windows and earlier. These invalid proof failed offline data downloads can become like a Denial of Service (DOS) attack when there are hundreds or thousands of these older Windows agents. The Real Time Authentication Monitor will look something like this, with Invalid Proof errors every second.  |
| Resolution | AAWIN-2421 is resolved in RSA Authentication Agent 7.4.3 for Windows. Download the latest version of RSA Authentication Agent for Windows and upgrade the existing agent to resolve the issue. |
| Workaround | Restarting Authentication Manager services on the primary and/or replicas can temporarily halt these invalid proofs.
On the RSA Authentication Agent,
|
| Notes | RSA Authentication Agent 7.3.3 99 for Windows has the defect AAWIN-2421. |
