|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4 Patch 8
|Issue||After upgrading RSA Authentication Manager to 8.4 patch 8, TCP-based RSA Authentication Agents that utilize the RSA Authentication Agent SDK 8.5 and 8.6 for C can no longer authenticate.|
Agent logs show errors similar to:
error .\SignatureVerifier.cpp 165 Config response is tampered
error .\SignatureVerifier.cpp 164 Config response is tampered
verbose .\SignatureVerifier.cpp 258 Leaving SignatureVerifier::validateConfiguration()
error ..\AgentConfigHandler.cpp 135 ConfigResponse is not valid
Performing a test authentication can display the following error:
Initialization Failed - configuration error
Impacted Agents/Agent SDKs are as follows:
|RSA SecurID Authentication SDK C 8.5.x/8.6.x ||TCP||Yes|
|RSA SecurID Authentication SDK C 8.5.x/8.6.x||UDP||No|
|RSA SecurID Authentication SDK Java 8.5.x/8.6.x||TCP||No|
|RSA SecurID Authentication SDK Java 8.5.x/8.6.x||UDP||No|
|RSA Authentication Agent for Web||TCP||Yes|
|RSA Authentication Agent for Web||UDP||No|
|Cause||An issue was introduced in RSA Authentication Manager 8.4 patch 8 that broke backward compatibility with agents that utilize RSA Authentication SDK C 8.5.x and 8.6.x in TCP mode. This was caused by an Oracle Java JDK update included in patch 8. |
|Resolution||Wait for RSA Authentication Manager 8.4 patch 9 update.|
|Workaround||As a workaround, either|
- Configure RSA Authentication Agents to use UDP mode or
- Utilize the below procedure to rollback the Authentication Manager Oracle JDK.
- In RSA Authentication Manager 8.4 patch 8 the Oracle JDK 1.8_231 was installed.
- Verify the version. Patch 8 will show the output below:
java version "1.8.0_231"
Java(TM) SE Runtime Environment (build 1.8.0_231-b26)
Java HotSpot(TM) 64-Bit Server VM (build 25.231-b26, mixed mode)
- To replace this with an older version (that is, the version which was in use when the last patch was installed which updated the Java JDK):
# As rsaadmin ...
# Stop AM services
./rsaserv stop all
# Set aside the JDK from the P8 install
mv jdk jdk-P8
# We want to find the most recent JDK backup
# (which contains the JDK in use when the most recent install that updated the JDK was performed)
ls -ltr ../updates/
# This attempts to set a variable to the path of this backup file (*but please verify*)
lastjdk=$(ls -tr ../updates/backup_jdk*.gz | tail -1)
# Extract the backed-up JDK
tar -xzf "$lastjdk"
# Optional - check the version - should be earlier than "1.8.0_231"
# Restart services
# There will be some additional messages from "sys-package-mgr" for the first restart
./rsaserv start all
- Rolling back RSA Authentication Manager 8.4 patch 8 does not fix this issue
- TCP agents using RSA agent API 8.5 or 8.6 for Java (including the RSA SecurID Access Identity Router, RSA agents using the ReST API, and UDP agents are not affected.