000032689 - Manually generating a node secret for RSA Authentication Agent 7.1 for PAM

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000032689
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for PAM
RSA Version/Condition: 7.1
IssueThe RSA Authentication Agent 7.1 for PAM is failing to save the node secret file, called securid in /var/ace.
ResolutionThe RSA Authentication Agent 7.1 for PAM saves configuration files in /var/ace by default. Directory permissions may need to be altered to allow the node secret file, named securid, to be saved after the first authentication. The first authentication to the Authentication Manager primary instance will create a node secret, store a copy of the node secret in the authentication agent record in the Security Console and send a copy of the node secret to the RSA Authentication Agent for PAM. The real-time authentication activity monitor will show a node secret being sent to an authentication agent.
Where perhaps a firewall or the Security-Enhanced Linux (SELinux) is stopping the storage of the node secret, an administrator could use the Node Secret Utility (agent_nsload), to manually provide the node secret to the RSA Authentication Agent 7.1 for PAM.  The agent_nsload is provided in the Authentication Manager 8.1 Extras zip file (am-extras-, which can be downloaded from RSA Link.

General Usage

  1. Ensure that SSH connectivity is enabled to the SecurID Appliance running Authentication Manager 8.1.  From the Operation Console select Administration > Operating System Access.  Under SSH Settings, check the option to enable eth0 and click Save.
  2. With WinSCP or another file transfer utility, copy the agent_nsload file (for Linux-x86_64) into /var/ace.
  3. From an SSH session, login as rsaadmin.
  4. Use the command chmod 755 /var/ace/agent_nsload to provide executable permissions (that is, -rwxr-xr-x).
  5. Login to the Security Console and navigate to Access > Authentication Agents > Manager Existing.
  6. Click on the entry for the PAM agent and select Manage Node Secret.
  7. Check Create a new random node secret, and export the node secret to a file.
  8. When prompted, enter an encryption password and click Save.
  9. With WinSCP or another file transfer utility, copy this <agent_hostname>_NodeSecret.zip file into the /var/ace.
  10. From an SSH session, navigate to /var/ace and unzip the <agent_hostname>_NodeSecret.zip file to access the his will provide nodesecret.rec.
  11. Load the node secret into the agent configuration with command /var/ace/agent_nsload -f /var/ace/nodesecret.rec -d /var/ace.  The administrator will be prompted to enter the encryption password from step 6.
  12. Check /var/ace to confirm the existence of the securid file.
  13. From the Security Console, select Reporting  > Real TIme Activity Monitors > Authentication Activity Monitor and click Start Monitor.
  14. Perform a test authentication with acetest (by default this will be in /opt/pam/bin/64bit/acetest).  It is expected that authentication is successful
NOTE: start the real-time authentication activity monitor to troubleshoot any failing authentications

A secure FTP client can be used to copy files to the SecurID Appliance running RSA Authentication Manager 8.1 software where ssh is enabled in the Operation Console > Administration > Operating System Access > SSH Settings :  check Interface eth0 > Save
NotesRSA Authentication Agent 7.1 Patch 1 for PAM introduces support for Red Hat Enterprise 7.