000038467 - VERIFY_ERROR  and authentication failure using REST method with RSA Authentication Agent for PAM with RSA Authentication Manager 8.2 SP1 through 8.2 SP1 patch 8

Document created by RSA Customer Support Employee on Feb 11, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038467
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2.1 to

This article is version-specific and relates only to RSA Authentication Manager servers running 8.2 SP1 (8.2.1) to (8.2 SP1 patch 8).

This workaround is provided if you are not in a position to immediately upgrade to RSA Authentication Manager 8.3 and above.


  • After enabling the DEBUG for the REST protocol, /var/ace/log/mfa_rest.log shows the following error:

2020-01-27 09:58:31,752 [0x7ff38b8ca8c0] INFO (../src/ConnectionHandler/ConnectionHandler.cpp:444) - The response is {"context":{"authnAttemptId":"5d14599e-7fc5-4dd7-8f2d-9b50cffb1d92","messageId":"23579bf8-e892-40fe-b0a3-ea121e889163","inResponseTo":"dd8e69e4-411d-11ea-a362-005056aadaee"}, "credentialValidationResults":[{"methodId":"SECURID","methodResponseCode":"FAIL","methodReasonCode":"VERIFY_ERROR","authnAttributes":[]}], "attemptResponseCode":"FAIL","attemptReasonCode":"VERIFY_ERROR","challengeMethods":{"challenges":[]}}

  • When Configuring Logging, and setting the Trace.log value to Verbose, the error that is shown here is in the /opt/rsa/am/server/logs/imsTrace.log:

2020-02-07 10:08:02,231, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (SecurIDHandler.java:68), trace.com.rsa.authmgr.rest.runtime.SecurIDHandler, INFO, acerest.rsalocal.com,,,,Exception while getting IP Address for the agent 'example.rsatest.local': java.net.UnknownHostException: example.rsatest.local
  • The REST code was populating the Logical Agent IP to the client IP. Because of this, if the Logical Agent IP is not provided, it resolves to some random IP in the environment.
  • The REST code after RSA Authentication Manager 8.3 and higher retrieves the client IP from the incoming authentication request and populates it in RSA Authentication Manager.
ResolutionUpgrade RSA Authentication Manager server to 8.3 or higher.
WorkaroundAs a workaround, try the following:
  1. Create an agent using the steps in Deploying an Authentication Agent That Uses the REST Protocol.
  2. Populate the agent with a logical IP address that the RSA Authentication Manager server can resolve.
  3. Provide the agent name to all the REST agents and update /var/ace/conf/mfa_api.properties on the client machine with that information.
  4. Users should now be able to log in to SSH using the REST mode without issue.
NotesAlso verify:
  • The RSA Authentication Agent for PAM that is installed with UDP protocol as an operation method works when the user logs in through SSH.
  • Nothing is observed in the RSA Authentication Manager authentication activity monitor during user authentication.
  • The RSA Authentication Agent 8.0.x for PAM is installed on a supported platform.
  • The RSA Authentication Agent 8.0.x for PAM is installed with REST protocol as an operation method, as shown in bold here:

# :: 0 UDP Protocol
# :: 1 SID REST Service
# :: 2 MFA REST Service
# default value is 0