000031929 - Changing the Authentication Service Port Number for RSA Authentication Manager 8.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000031929
Applies ToRSA Product Set : SecurID
RSA Product/Service Type : RSA Authentication Manager
RSA Version/Condition : 8.1 Service Pack 1 or later
Platform : SUSE Enterprise Linux
O/S Version : 11 Service Pack 3
Product Description : SecurID Appliance
IssueCustomer has a requirement to change the default authentication service port of 5500/UDP to another port number.
TasksChanging the Authentication Service Port Number
  1. Logon to the Security Console with an administrative account.
  2. Setup > System Settings > Authentication SettingsAgents
  3. Change the Authentication Service Port number > click the Save button
Example:
User-added image

  1. In the Security Console, click Access tab > select Authentication Agents > select Generate Configuration File > click Generate Configuration File button > click Download Now button to save a copy of AM_Config.zip (which contains sdconf.rec).
  2. Where SSH is enabled for command line access use a secure FTP client (such as WinSCP) to copy a new configuration record (sdconf.rec) into the /tmp folder of the authentication manager instance.
  3. At the command line using the rsaadmin account, navigator to the /opt/rsa/am/radius folder.
    Now, make a copy of the existing
    sdconf.rec file and name it sdconf.rec-5500 using the command: cp sdconf.rec sdconf.rec-5500
  4. Copy the new configuration record (sdconf.rec) from the /tmp folder into the /opt/rsa/am/radius folder using the command: cp /tmp/sdconf.rec /opt/rsa/am/radius/sdconf.rec
    NOTE: failing to update the sdconf.rec file correctly will result in a message “Failed to initialize communications for SecurID authentication (result = 23)” being generated in the RADIUS log file (yyyymmdd.log; based on the current date. For example: 20151124.log)
  5. Reboot the SecurID Appliance instance for the new port number to be used for the Authentication Service.
    In the Operations Console > Maintenance > Reboot Appliance
    Alternatively at the command line use the command:
    /opt/rsa/am/server/rsaserv restart all
  6. At the command line check the authentication service is listening on the new port number with the command: netstat –ano | grep <port_number>
Example; where the new authentication service port number is 5516:
rsaadmin@am81p:~> netstat -ano | grep 5516
udp        0      0 127.0.0.1:5516          :::*                                off (0.00/0/0)
udp        0      0 127.0.0.2:5516          :::*                                off (0.00/0/0)
udp        0      0 192.168.31.14:5516      :::*                                off (0.00/0/0)
rsaadmin@am81p:~>


  1. Update the deployed RSA Authentication Agents with the new configuration record (sdconf.rec).
Example; where a SecurID test agent is using the new port (5516):
User-added image


To troubleshoot incoming SecurID authentications on the new port number use the command: sudo tcpdump -i eth0 -Z root -n -A -v port <port_number>
Example; tcpdump capturing packets for a successful authentication on port 5516:
rsaadmin@am81p:~> sudo tcpdump -i eth0 -Z root -n -A -v port 5516
rsaadmin's password:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:46:32.741789 IP (tos 0x0, ttl 126, id 32236, offset 0, flags [none], proto UDP (17), length 152) 192.168.54.61.49710 > 192.168.31.14.5516: UDP, length 124
E...}...~....>.=
>.........Hg...............................................................
15:46:32.742807 IP (tos 0x0, ttl 64, id 8425, offset 0, flags [DF], proto UDP (17), length 152) 192.168.31.14.5516 > 192.168.54.61.49710: UDP, length 124
E... .@.@.F.
>...>.=.......\g..............
.....eZtWnf7wj7fPElD9reNCyQ==...........
15:46:37.273177 IP (tos 0x0, ttl 126, id 32262, offset 0, flags [DF], proto UDP (17), length 580) 192.168.54.61.49710 > 192.168.31.14.5516: UDP, length 552
E..D~.@.~....>.=
>.......0.?[.]..............L....>;j...'m....F. ?.O........8......!HxI4*0.H
15:46:37.291612 IP (tos 0x0, ttl 64, id 8426, offset 0, flags [DF], proto UDP (17), length 536) 192.168.31.14.5516 > 192.168.54.61.49710: UDP, length 508
E... .@.@.E$
>...>.=........l.].........VS...D.;.........    ...Y0.................G.m......jG.
15:46:37.306156 IP (tos 0x0, ttl 126, id 32264, offset 0, flags [DF], proto UDP (17), length 580) 192.168.54.61.49710 > 192.168.31.14.5516: UDP, length 552
E..D~.@.~....>.=
>.......0.k\.%...............I<.d..N.F.Er..t..o&.Q....:..../.a..Y...$|..RU%
15:46:39.306804 IP (tos 0x0, ttl 64, id 8427, offset 0, flags [DF], proto UDP (17), length 536) 192.168.31.14.5516 > 192.168.54.61.49710: UDP, length 508
E... .@.@.E#
>...>.=........l.%...............E.....U....<5.l. ..]...34. ..-t..<...r..~....h
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
rsaadmin@am81p:~>

 
NotesChanging the authentication service port number on the authentication manager primary instance automatically updates the authentication manager replica instance(s) however the RSA RADIUS requires a new configuration record (sdconf.rec) and the authentication manager instance requires a reboot after making the changes in the Tasks section above.

Attachments

    Outcomes