000039319 - On-demand token delivery is not working after upgrading to RSA Authentication Manager 8.4

Document created by RSA Customer Support Employee on Oct 16, 2020
Version 1Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000039319
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4 and higher.
IssueOn-demand token delivery is not working after upgrading to 8.4. The below error is prompted when testing the connection.

Failed to send message. SSL connection not verified with peer. Please check that the certificate you imported is valid for this deployment



The /opt/rsa/am/server/logs/imsTrace.log is showing the following errors:

2020-06-08 17:39:26,471, [SMSMessageProcessor Core Thread #4], (HTTPPlugin.java:306), trace.com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin, ERROR, prdvrsamsha01.kpmgmgmt.com,,,, Failed to send an SMS message via HTTP
javax.net.ssl.SSLPeerUnverifiedException: No certificate found in session or SSL peer not authenticated.
        at com.rsa.authmgr.internal.smsplugin.impl.SMSSecureProtocolSocketFactory.verifyHostname(SMSSecureProtocolSocketFactory.java:236)
        at com.rsa.authmgr.internal.smsplugin.impl.SMSSecureProtocolSocketFactory.createSocket(SMSSecureProtocolSocketFactory.java:198)
        at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706)
        at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1321)
        at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386)
       at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
        at com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin.executeSendMessage(HTTPPlugin.java:356)
        at com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin.sendRequest(HTTPPlugin.java:302)
        at com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin.send(HTTPPlugin.java:279)
        at com.rsa.authmgr.internal.message.processor.impl.MessageHandlerImpl.handle(MessageHandlerImpl.java:84)
        at com.rsa.authmgr.internal.message.processor.impl.MessageProcessorImpl$MessageProcessorTask.run(MessageProcessorImpl.java:493)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)


2020-06-08 17:39:26,472, [SMSMessageProcessor Core Thread #4], (HTTPPlugin.java:281), trace.com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin, ERROR, prdvrsamsha01.kpmgmgmt.com,,,,Failed to create SMS HTTP request
com.rsa.common.InvalidArgumentException: Failed to send SMS message via HTTP
        at com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin.sendRequest(HTTPPlugin.java:309)
        at com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin.send(HTTPPlugin.java:279)
        at com.rsa.authmgr.internal.message.processor.impl.MessageHandlerImpl.handle(MessageHandlerImpl.java:84)
        at com.rsa.authmgr.internal.message.processor.impl.MessageProcessorImpl$MessageProcessorTask.run(MessageProcessorImpl.java:493)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

        
The ODA certificate is valid and not expired. 


 
CauseAfter upgrading to RSA Authentication Manager 8.4, certificates that are at least 2048 bits are required. If the Authentication Manager is configured with LDAPS and the https plug-in to deliver ODA code, and the connection to the LDAP and SMS provider servers is configured with SSL key exchange algorithms DH (Diffie-Hellman) and DHE, the connection fails. The same solution as 000037225 since the problem also occurs to the connection to the SMS provider server.
Resolution
If the AM is running on 8.4 P2 or higher the hotfix is already available so the utility could be applied directly following the below steps:
  1. Open an SSH session on the Authentication manager server. Login as the rsaadmin user, noting that during Quick Setup another username may have been selected. If that is the case, that username to login.
  2. Go to /opt/rsa/am/utils.
  3. Run the command.

    ./rsautil store -a add_config ims.tls.cipher_list.use_via_trust true GLOBAL BOOLEAN.


    This global variable prevents Authentication Manager 8.4 from including the TLS_DHE_RSA_WITH_AES_256_GCM_SHA_384 cipher suite in the SSL client hello.


   


  
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Tue FEb 26 10:36:31 2018 from 192.168.2.102
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> cd /opt/rsa/am/utils 
saadmin@am82p:/opt/rsa/am/utils> ./rsautil store -a add_config ims.tls.cipher_list.use_via_trust true GLOBAL BOOLEAN Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>
psql.bin:/tmp/f8e39a3c-a614-41e3-be96-299e670f0a73525273943558510875.sql;0108; NOTICE:  Added the new configuration parameter "ims.tls.cipher_list.use_via_trust" with the value "true"
 add_config 
---------------------

(1 row)



  
     If the configuration parameter "ims.tls.cipher_list.use_via_trust" is already added you can update it using the below command. 
   

saadmin@am82p:/opt/rsa/am/utils> ./rsautil store -a update_config ims.tls.cipher_list.use_via_trust false GLOBAL BOOLEAN
Please enter OC Administrator user name: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>
psql.bin:/tmp/e6871864-6126-47cc-af20-0c261a3bbb643013521437038491182.sql;167; NOTICE:  Added the new configuration parameter "ims.tls.cipher_list.use_via_trust" from "true" to "false" for the instance 'GLOBAL'.
 update_config 
---------------------

(1 row)

  
    
NotesIf you are running on 8.4, please upgrade to 8.4 P2 and follow the above or contact the RSA support to apply the hotfix on the appliances first.

Attachments

Outcomes