Article Number | 000038141 |
Applies To | RSA Product Set: SecurID RSA Product/Service Type: Authentication Manager RSA Version/Condition: 8.2 SP1, 8.3, 8.4 patch 6 |
Issue | When running ./rsautil manage-readonly-dbusers CLU with the -n option, the expected result is that the user is created, and the subnet is allowed to access. The user is created, but the subnet is not accessible. |
Cause | Firewall, iptables, does not allow to the subnet specified. For example:
- You created a new database readonly user using the command below. Where -X (debug mode) -a (action - create) -o (OC user) -u (new db username) -i (IP address of client) -n (IP mask of client machine(s)).
rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil manage-readonly-dbusers -X -a create -o ocadmin -u dbreaduser -i 10.114.187.0 -n 255.255.255.0 Enter Operations Console (OC) password: <enter Operations Console admin password> Enter password for the read-only database user: <enter read-only database user password> Confirm password for the read-only database user: <re-enter read-only database user password> Executing action: 'create'. Trusted Root SSL CA certificate was copied in file '/opt/rsa/am/utils/RSAAMTrustedRootSSLCA.crt'. 'create' action complete.
- Cat the pg_hba.conf file for the name of the read only user:
rsaadmin@am82p:/opt/rsa/am/utils> cat /opt/rsa/am/rsapgdata/pg_hba.conf | grep dbreaduser hostssl all dbreaduser 10.114.187.0 255.255.255.0 md5
- Change to the root user and check iptables for port 7050, using options to list the rules with numeric output:
# rsaadmin@am82p:/opt/rsa/am/utils> sudo su - rsaadmin's password: <enter operating system password> am82p:~ # /usr/sbin/iptables -L -n -v | grep 7050 0 0 ACCEPT tcp – * * 10.114.187.0 0.0.0.0/0 tcp dpt:7050 0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7050
- Cat iptables for references to port 7050 to confirm changes:
am82p:~ # cat /etc/sysconfig/iptables | grep 7050 -A INPUT -s 10.114.187.0/32 -p tcp -m tcp --dport 7050 -j ACCEPT -A INPUT -p tcp -m tcp --dport 7050 -j DROP
|
Workaround | Edit /etc/sysconfig/iptables directly.
- Enable Secure Shell on the Appliance
- Log On to the Appliance Operating System with SSH
- Switch to the root user
login as: rsaadmin Using keyboard-interactive authentication. Password: <enter operating system password> Last login: Thu Jan 2 15:50:00 2020 from jumphost.vcloud.local RSA Authentication Manager Installation Directory: /opt/rsa/am rsaadmin@am82p:~> cd /opt/rsa/am/utils rsaadmin@am82p:~> sudo su - rsaadmin's password: <enter operating system password>
- Edit /etc/sysconfig/iptables. For example, change from /32, as shown:
-A INPUT -s 10.24.0.0/32 -p tcp -m tcp --dport 7050 -j ACCEPT
to /24:
-A INPUT -s 10.24.0.0/24 -p tcp -m tcp --dport 7050 -j ACCEPT
- Restart the iptables service:
am82p:~ # service iptables restart Restarting iptables
|
Notes | You need to turn setting back to the original if you would like to delete this user. |