000038167 - How to test RSA Authentication Manager to RSA SecurID Authentication Cloud Authentication Service connectivity

Document created by RSA Customer Support Employee on Dec 13, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038167
Applies ToRSA Product Set:  SecurID Access
RSA Product/Service Type:  Authentication Manager and Cloud Authentication Service
RSA Version/Condition:  Authentication Manager 8.4 patch 4 and higher
IssueConnectivity between RSA Authentication Manager and associated SecurID Access cloud tenant is not working.
CauseThis is most often due to RSA Authentication Manager -> cloud network traffic being blocked by the on-premise environment.
ResolutionA helpful troubleshooting step is to try accessing the Cloud Authentication Service's health.api URL either from a browser on the same subnet as the RSA Authentication Manager or directly from the Authentication Manager using the wget command.

The URL is of the form https://<tenant id>.auth.securid.com/secure-connector-fe/health.api where <tenant id> is the value initially set in the Cloud Administrator Console under My Account > Company Settings > Company Information tab > Company ID field.

Below is an example wget command run from the Authentication Manager command line.  Note that Connection OK is returned if successful.

Log On to the Appliance Operating System with SSH for instructions on accessing the Authentication Manager command line:

rsaadmin@am84p:~> wget --no-check-certificate https://mycompany.auth.securid.com/secure-connector-fe/health.api
--2019-11-20 18:09:47--  https://mycompany.auth.securid.com/secure-connector-fe/health.api
Resolving mycompany.auth.securid.com (mycompany.auth.securid.com)...
Connecting to mycompany.auth.securid.com (mycompany.auth.securid.com)||:443... connected.
WARNING: cannot verify mycompany.auth.securid.com's certificate, issued by ‘/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c)
2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K’:
  Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response... 200
Length: 13 [text/plain]
Saving to: ‘health.api’

100%[=================================================================================>] 13          --.-K/s   in 0s

2019-11-20 18:09:47 (3.54 MB/s) - ‘health.api’ saved [13/13]

rsaadmin@am84p:~> cat health.api
Connection OK

  1. Be sure to confirm that the infrastructure is:

  • Not blocking the IP associated with <tenant id>.auth.securid.com .
  • Is not filtering *.auth.securid.com or *.access.securid.com URLs.

  1. If a wget certificate WARNING indicates that the certificate was issued by a root CA other than Entrust Root Certification Authority - G2 and the RSA Authentication Manager logs are showing the message javax.net.ssl.SSLException: Certificate not verified, then ensure that there are no transparent customer proxy devices between the Authentication Manager and the RSA cloud components. 
  2. RSA Authentication Manager servers do not currently support proxies (transparent or not) that perform SSL termination. 
  3. If a non-transparent proxy is configured for the Authentication Manager then include -e use_proxy=yes -e https_proxy=<proxy hostname>:<proxy port> switches in the wget command.
  4. The auth part of the tenant hostname will be auth-eu for European-hosted tenants and auth-anz for APJ hosted tenants.