000038228 - RSA Authentication Manager 8.4 deployments with TCP agents should avoid patch 8

Document created by RSA Customer Support Employee on Dec 12, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038228
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4 Patch 8

IssueAfter upgrading RSA Authentication Manager to 8.4 patch 8, TCP-based RSA Authentication Agents that utilize the RSA Authentication Agent SDK 8.5 and 8.6 for C can no longer authenticate.

Agent logs show errors similar to:
 error .\SignatureVerifier.cpp 165 Config response is tampered
 error .\SignatureVerifier.cpp 164 Config response is tampered 
 verbose .\SignatureVerifier.cpp 258 Leaving SignatureVerifier::validateConfiguration()
 error ..\AgentConfigHandler.cpp 135 ConfigResponse is not valid

Performing a test authentication can display the following error:  

Initialization Failed - configuration error


Impacted Agents/Agent SDKs are as follows:

RSA SecurID Authentication SDK C 8.5.x/8.6.x TCPYes
RSA SecurID Authentication SDK C 8.5.x/8.6.xUDPNo
RSA SecurID Authentication SDK Java 8.5.x/8.6.xTCPNo
RSA SecurID Authentication SDK Java 8.5.x/8.6.xUDPNo
RSA Authentication Agent for WebTCPYes
RSA Authentication Agent for WebUDPNo
CauseAn issue was introduced in RSA Authentication Manager 8.4 patch 8 that broke backward compatibility with agents that utilize RSA Authentication SDK C 8.5.x and 8.6.x in TCP mode. This was caused by an Oracle Java JDK update included in patch 8.  
ResolutionWait for RSA Authentication Manager 8.4 patch 9 update.
WorkaroundAs a workaround, either
  •  Configure RSA Authentication Agents to use UDP mode or
  • Utilize the below procedure to rollback the Authentication Manager Oracle JDK.

  1. In RSA Authentication Manager 8.4 patch 8 the Oracle JDK 1.8_231 was installed.
  2. Verify the version.  Patch 8 will show the output below:

cd /opt/rsa/am/appserver/jdk/bin
./java -version

java version "1.8.0_231"
Java(TM) SE Runtime Environment (build 1.8.0_231-b26)
Java HotSpot(TM) 64-Bit Server VM (build 25.231-b26, mixed mode)

  1. To replace this with an older version (that is, the version which was in use when the last patch was installed which updated the Java JDK):

# As rsaadmin ...
# Stop AM services
cd /opt/rsa/am/server
./rsaserv stop all

# Set aside the JDK from the P8 install
cd /opt/rsa/am/appserver
mv jdk jdk-P8

# We want to find the most recent JDK backup
# (which contains the JDK in use when the most recent install that updated the JDK was performed)
ls -ltr ../updates/

# This attempts to set a variable to the path of this backup file (*but please verify*)
lastjdk=$(ls -tr ../updates/backup_jdk*.gz | tail -1)
# Verify
echo $lastjdk

# Extract the backed-up JDK
tar -xzf "$lastjdk"

# Optional - check the version - should be earlier than "1.8.0_231"
cd /opt/rsa/am/appserver/jdk/bin
./java -version

# Restart services
# There will be some additional messages from "sys-package-mgr" for the first restart
cd /opt/rsa/am/server
./rsaserv start all
  • Rolling back RSA Authentication Manager 8.4 patch 8 does not fix this issue
  • TCP agents using RSA agent API 8.5 or 8.6 for Java (including the RSA SecurID Access Identity Router, RSA agents using the ReST API, and UDP agents are not affected.