000032689 - Manually generate a node secret for RSA Authentication Agent for PAM

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jan 8, 2020
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000032689
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for PAM
IssueThe RSA Authentication Agent for PAM is failing to save the node secret file, called securid in /var/ace.
ResolutionThe RSA Authentication Agent for PAM saves configuration files in /var/ace by default. Directory permissions may need to be altered to allow the node secret file, named securid, to be saved after the first authentication. The first authentication to the Authentication Manager primary instance will create a node secret, store a copy of the node secret in the authentication agent record in the Security Console and send a copy of the node secret to the RSA Authentication Agent for PAM. The real-time authentication activity monitor will show a node secret being sent to an authentication agent.

Where perhaps a firewall or the Security-Enhanced Linux (SELinux) is stopping the storage of the node secret, an administrator could use the Node Secret Utility (agent_nsload), to manually provide the node secret to the RSA Authentication Agent for PAM.  The agent_nsload is provided in the Authentication Manager 8.x Extras zip file.  See 000034558 - How to download RSA Authentication Manager 8.x full kits and service packs from RSA Link for steps to download the file.

General Usage

  1. Ensure that SSH connectivity is enabled to the SecurID Appliance running Authentication Manager 8.x.  From the Operation Console select Administration > Operating System Access.  Under SSH Settings, check the option to enable eth0 and click Save.
  2. With WinSCP or another file transfer utility, copy the agent_nsload file (for Linux-x86_64) into /var/ace.
  3. Start an SSH session.
  4. Use the command chmod 755 /var/ace/agent_nsload to provide executable permissions.
  5. Login to the Security Console and navigate to Access > Authentication Agents > Manager Existing.
  6. Click on the entry for the PAM agent and select Manage Node Secret.
  7. Check Create a new random node secret, and export the node secret to a file.
  8. When prompted, enter an encryption password and click Save.
  9. With WinSCP or another file transfer utility, copy this <agent_hostname>_NodeSecret.zip file into the /var/ace.
  10. From an SSH session, navigate to /var/ace and unzip the <agent_hostname>_NodeSecret.zip file to access the his will provide nodesecret.rec.
  11. Load the node secret into the agent configuration with command /var/ace/agent_nsload -f /var/ace/nodesecret.rec -d /var/ace.  The administrator will be prompted to enter the encryption password from step 6.
  12. Check /var/ace to confirm the existence of the securid file.
  13. From the Security Console, select Reporting  > Real TIme Activity Monitors > Authentication Activity Monitor and click Start Monitor.
  14. Perform a test authentication with acetest (by default this will be in /opt/pam/bin/64bit/acetest).  It is expected that authentication is successful

Start the real-time authentication activity monitor to troubleshoot any failing authentications

A secure FTP client can be used to copy files to the SecurID Appliance running RSA Authentication Manager 8.x software where ssh is enabled in the Operation Console > Administration > Operating System Access > SSH Settings. Check Interface eth0 > Save