Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000038467 - VERIFY_ERROR and authentication failure using REST method with RSA Authentication Agent for PAM with RSA Authentication Manager 8.2 SP1 through 8.2 SP1 patch 8

Document created by RSA Customer Support

on Feb 11, 2020

Version 1Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000038467
Applies To	RSA Product Set: SecurID RSA Product/Service Type: Authentication Manager RSA Version/Condition: 8.2.1 to 8.2.1.8
Issue	This article is version-specific and relates only to RSA Authentication Manager servers running 8.2 SP1 (8.2.1) to 8.2.1.8 (8.2 SP1 patch 8). This workaround is provided if you are not in a position to immediately upgrade to RSA Authentication Manager 8.3 and above. After enabling the DEBUG for the REST protocol, /var/ace/log/mfa_rest.log shows the following error: 2020-01-27 09:58:31,752 [0x7ff38b8ca8c0] INFO (../src/ConnectionHandler/ConnectionHandler.cpp:444) - The response is {"context":{"authnAttemptId":"5d14599e-7fc5-4dd7-8f2d-9b50cffb1d92","messageId":"23579bf8-e892-40fe-b0a3-ea121e889163","inResponseTo":"dd8e69e4-411d-11ea-a362-005056aadaee"}, "credentialValidationResults":[{"methodId":"SECURID","methodResponseCode":"FAIL","methodReasonCode":"VERIFY_ERROR","authnAttributes":[]}], "attemptResponseCode":"FAIL","attemptReasonCode":"VERIFY_ERROR","challengeMethods":{"challenges":[]}} When Configuring Logging, and setting the Trace.log value to Verbose, the error that is shown here is in the /opt/rsa/am/server/logs/imsTrace.log: 2020-02-07 10:08:02,231, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (SecurIDHandler.java:68), trace.com.rsa.authmgr.rest.runtime.SecurIDHandler, INFO, acerest.rsalocal.com,,,,Exception while getting IP Address for the agent 'example.rsatest.local': java.net.UnknownHostException: example.rsatest.local
Cause	The REST code was populating the Logical Agent IP to the client IP. Because of this, if the Logical Agent IP is not provided, it resolves to some random IP in the environment. The REST code after RSA Authentication Manager 8.3 and higher retrieves the client IP from the incoming authentication request and populates it in RSA Authentication Manager.
Resolution	Upgrade RSA Authentication Manager server to 8.3 or higher.
Workaround	As a workaround, try the following: Create an agent using the steps in Deploying an Authentication Agent That Uses the REST Protocol. Populate the agent with a logical IP address that the RSA Authentication Manager server can resolve. Provide the agent name to all the REST agents and update /var/ace/conf/mfa_api.properties on the client machine with that information. Users should now be able to log in to SSH using the REST mode without issue.
Notes	Also verify: The RSA Authentication Agent for PAM that is installed with UDP protocol as an operation method works when the user logs in through SSH. Nothing is observed in the RSA Authentication Manager authentication activity monitor during user authentication. The RSA Authentication Agent 8.0.x for PAM is installed on a supported platform. The RSA Authentication Agent 8.0.x for PAM is installed with REST protocol as an operation method, as shown in bold here: # :: 0 UDP Protocol # :: 1 SID REST Service # :: 2 MFA REST Service # default value is 0 OPERATION_MODE=1

Attachments

Outcomes

0 Comments

Recommended Content