000038111 - There was a problem loading the page when accessing user dashboard in RSA Authentication Manager 8.4

Document created by RSA Customer Support Employee on Nov 6, 2019Last modified by RSA Customer Support Employee on Jan 7, 2020
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000038111
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.3.3
IssueWhen RSA Authentication Manager administrators login to the Security Console and go to a user dashboard they get the following error message:

There was a problem loading the page. Please click the refresh button on your browser.


The Recent Authentication Activity panel is blank. Administrators cannot use dashboard anymore.

The /opt/rsa/am/server/logs/imsTrace.log file shows the following errors:
 
2019-10-16 07:31:19,091, [OARequestHandler6], (ProofDaProcessor.java:21), trace.com.rsa.authmgr.internal.oa.engine.OAProcessor, WARN, rsa.abc.com,,,,Proof validation failed
com.rsa.authmgr.internal.oa.OAException: Invalid proof
    at com.rsa.authmgr.internal.oa.engine.ProofDaProcessor.a(ProofDaProcessor.java:77)
    at com.rsa.authmgr.internal.oa.engine.ProofDaProcessor.doRun(ProofDaProcessor.java:43)
    at com.rsa.authmgr.internal.oa.engine.OAProcessor.run(OAProcessor.java:30)
    at com.rsa.authmgr.internal.oa.RequestReceiver.a(RequestReceiver.java:14)
    at com.rsa.authmgr.internal.oa.RequestReceiver$1.run(RequestReceiver.java:1)
    at com.rsa.ims.security.spi.SimpleSecurityContextImpl.doAs(SimpleSecurityContextImpl.java:80)
    at com.rsa.security.SecurityContext.doAs(SecurityContext.java:412)
    at com.rsa.authmgr.internal.oa.RequestReceiver.handleConnection(RequestReceiver.java:101)
    at com.rsa.authmgr.internal.common.server.TCPServer$TCPServerTask.run(TCPServer.java:689)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

    at com.rsa.authmgr.internal.common.server.TCPServer$TCPServerThread.run(TCPServer.java:764)
2019-10-16 07:31:19,091, [OARequestHandler6], (OAProcessor.java:17), trace.com.rsa.authmgr.internal.oa.engine.OAProcessor, WARN, rsa.abc.com,,,,Unexpected exception during processing: DA_REQUEST_DATABASE_ERROR
com.rsa.authmgr.internal.oa.OAException: Proof validation failed
Authentication Activity Report_05646847.csv
ERROR    23017    Offline Authentication Data Download Failed    Offline authentication data download requested by user “abc5232” from agent “1234.corp.abc.com” using token “000406000000” failed with error message “Invalid proof”    Failure

 

The above error may appear from a single user a few thousand times.
CauseThe Authentication Activity report confirms that excessive requests for offline data are coming from a rogue machine. A few thousands of these requests reach RSA Authentication Manager per second which make the user dashboard not available. This is due to defect AAWIN-2421 (State of MT AAWin v. 7.3.3[103] agents get invalid proof every 1-2 seconds) in RSA Authentication Agent 7.4.0 and 7.3.3[99] for Windows and earlier. 

These invalid proof failed offline data downloads can become like a Denial of Service (DOS) attack when there are hundreds or thousands of these older Windows agents.  The Real Time Authentication Monitor will look something like this, with Invalid Proof errors every second.

Invalid Proof RTM
ResolutionAAWIN-2421 is resolved in RSA Authentication Agent 7.4.3 for Windows. Download the latest version of RSA Authentication Agent for Windows and upgrade the existing agent to resolve the issue.
 
Workaround

Restarting Authentication Manager services on the primary and/or replicas can temporarily halt these invalid proofs.

Likewise, restarting the RSA Authentication Agent Offline Local Service on the Windows Agent will also temporarily halt the agent sending these invalid proofs.



Local OA service




Another approach for a temporary resolution is to reset the node secret. If you cannot upgrade the agent(s) immediately, do the following:



  1. Clear the node secret via the Authentication Agent Control Center.
  2. Log on to RSA Authentication Manager Security Console.
  3. Navigate to Access > Authentication Agents > Manage Existing.
  4. Search for the agent in question and select Edit from the context menu.
  5. Select Manage Secret.
  6. Place a check in the box labeled Clear node secret.
  7. Click Save.

On the RSA Authentication Agent,



  1. Launch the Control Center.
  2. Select Advanced > Clear node secret.
For further troubleshooting on the RSA Agent,

  1. Open the Control Center and select the Advanced tab
  2. Select Enable Debug and note the location of logs.
NotesRSA Authentication Agent 7.3.3 99 for Windows has the defect AAWIN-2421.

Attachments

    Outcomes