000038228 - RSA Authentication Manager 8.4 deployments with TCP agents should avoid patch 8

Document created by RSA Customer Support Employee on Dec 12, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038228
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4 Patch 8

 
IssueAfter upgrading RSA Authentication Manager to 8.4 patch 8, TCP-based RSA Authentication Agents that utilize the RSA Authentication Agent SDK 8.5 and 8.6 for C can no longer authenticate.

Agent logs show errors similar to:
 
 error .\SignatureVerifier.cpp 165 Config response is tampered
 error .\SignatureVerifier.cpp 164 Config response is tampered 
 verbose .\SignatureVerifier.cpp 258 Leaving SignatureVerifier::validateConfiguration()
 error ..\AgentConfigHandler.cpp 135 ConfigResponse is not valid


Performing a test authentication can display the following error:  

Initialization Failed - configuration error
 


Error



Impacted Agents/Agent SDKs are as follows:



ProductModeImpacted?
RSA SecurID Authentication SDK C 8.5.x/8.6.x TCPYes
RSA SecurID Authentication SDK C 8.5.x/8.6.xUDPNo
RSA SecurID Authentication SDK Java 8.5.x/8.6.xTCPNo
RSA SecurID Authentication SDK Java 8.5.x/8.6.xUDPNo
RSA Authentication Agent for WebTCPYes
RSA Authentication Agent for WebUDPNo
CauseAn issue was introduced in RSA Authentication Manager 8.4 patch 8 that broke backward compatibility with agents that utilize RSA Authentication SDK C 8.5.x and 8.6.x in TCP mode. This was caused by an Oracle Java JDK update included in patch 8.  
ResolutionWait for RSA Authentication Manager 8.4 patch 9 update.
WorkaroundAs a workaround, either
  •  Configure RSA Authentication Agents to use UDP mode or
  • Utilize the below procedure to rollback the Authentication Manager Oracle JDK.

  1. In RSA Authentication Manager 8.4 patch 8 the Oracle JDK 1.8_231 was installed.
  2. Verify the version.  Patch 8 will show the output below:


cd /opt/rsa/am/appserver/jdk/bin
./java -version

java version "1.8.0_231"
Java(TM) SE Runtime Environment (build 1.8.0_231-b26)
Java HotSpot(TM) 64-Bit Server VM (build 25.231-b26, mixed mode)


  1. To replace this with an older version (that is, the version which was in use when the last patch was installed which updated the Java JDK):


# As rsaadmin ...
# Stop AM services
cd /opt/rsa/am/server
./rsaserv stop all

# Set aside the JDK from the P8 install
cd /opt/rsa/am/appserver
mv jdk jdk-P8

# We want to find the most recent JDK backup
# (which contains the JDK in use when the most recent install that updated the JDK was performed)
ls -ltr ../updates/

# This attempts to set a variable to the path of this backup file (*but please verify*)
lastjdk=$(ls -tr ../updates/backup_jdk*.gz | tail -1)
# Verify
echo $lastjdk

# Extract the backed-up JDK
tar -xzf "$lastjdk"

# Optional - check the version - should be earlier than "1.8.0_231"
cd /opt/rsa/am/appserver/jdk/bin
./java -version

# Restart services
# There will be some additional messages from "sys-package-mgr" for the first restart
cd /opt/rsa/am/server
./rsaserv start all
Notes
  • Rolling back RSA Authentication Manager 8.4 patch 8 does not fix this issue
  • TCP agents using RSA agent API 8.5 or 8.6 for Java (including the RSA SecurID Access Identity Router, RSA agents using the ReST API, and UDP agents are not affected.

Attachments

    Outcomes