000038116 - Authentication using acetest fails TRANSACTION_ROLLBACK on real time authentication activity monitor for RSA Authentication Agent 8.0.x for Web: Apache Web Server

Document created by RSA Customer Support Employee on Dec 16, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038116
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Agent for Web:  Apache
RSA Version/Condition: 8.0.x
IssueRSA Authentication Agent for Web: Apache Web Server is installed on a Red Hat Enterprise Linux (Red Hat Enterprise Linux) server. An authentication attempt using the acetest utility fails with the following error on real-time authentication activity monitor:

TRANSACTION_ROLLBACK
CauseThe authentication request is coming from an invalid IP address. The agent record on the RSA Authentication Manager server was configured with one IP address, and the request is coming from another IP address.

Also, the acestatus output showed a Server Active Address: 0.0.0.0154.236 which indicates a corrupt sdconf.rec file.
Resolution
  1. Connect to Security Console for the primary RSA Authentication Manager server
  2. Navigate to Access > Authentication Agents > Generate Configuration File and download the AMconfig.zip.
  3. Extract the sdconf.rec file from the .zip.
  4. Replace the existing sdconf.rec file on the Apache server with the one extracted above.
  5. Run the command acestatus and ensure that the correct primary server IP address is displayed.
  6. From the primary's Security Console, navigate to Access > Authentication Agents > Manage Existing and locate the agent that is having the issue.
  7. Click the context arrow next to the agent name and choose Delete.
  8. Open a real time authentication activity monitor (Reports > Real Time Monitors > Authentication Activity Monitor) and press Start Monitor.
  9.  Perform the authentication using acetest. Notice the message on real-time authentication activity monitor and jot down the IP address:

Agent host not found n.n.n.n


  1. Navigate to navigate to Access > Authentication Agents > Add New.
  2. Recreate the agent record in the Security Console using the IP address noted in Step 9 above.
  3. On the Apache web server, edit the sdopts.rec file to add the CLIENT_IP value in the format below.  Replace the n.n.n.n value with the IP address in Step 9:

CLIENT_IP=n.n.n.n


  1. Perform authentication using acetest.  Authentication will be successful.
  2. Restart the Apache web server.
  3. Perform the authentication on the web page to confirm.

 

Attachments

    Outcomes