000030856 - Configuring the RSA Authentication Agent API for Java on a Supported Platform with Two Network Card Interfaces (NICS)

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000030856
Applies To
RSA Product SetSecurID
RSA Product/Service TypeRSA Authentication Agent API for Java
RSA Version/Condition8.1 SP3
PlatformMicrosoft Windows
Platform (Other) 
O/S Version 
Product Name 
Product DescriptionRSA Authentication Agent API

IssueSample code for the RSA Authentication Agent API for Java successfully authenticates and then fails authentication.
Unexpected results; where a fixed passcode is used to authenticate a test account called 'rsatest':

Username: rsatest
Passcode: 12345678
Passcode Accepted
Authentication successful
Continue? [y/n] y
Username: rsatest
Passcode: 12345678
Access Denied
Passcode: 12345678
Access Denied
Passcode: 12345678
Access Denied
Authentication incomplete
Continue? [y/n]

 
ResolutionThis RSA Knowledge Article is assuming RSA Authentication Manager 8.1 software has already been deployed as a primary instance, with or without replica instances in a deployment and that RSA Authentication Agent API 8.1 Service Pack 3 for Java sample code has been compiled and ready to use.
 
Environment:

  • Two separate networks with no routing between them.
  • RSA Authentication Manager primary instance eth0 is configured on one network and eth1 is configured on the second network.
  • Microsoft Windows platform with two network card interfaces (NICs), where each NIC is connected to the two networks hosting the RSA Authentication Agent API for Java (for this example; 2k8r2-agent) .
Diagram representing the network: 
User-added image
 Steps

1.Ensure the authentication manager instance eth0 and eth1 interfaces are correctly setup in the Operations Console.
    
   Operations Console > Administration > Network > Appliance Network Settings
    
   Example for the primary instance:

  
 eth0eth1
IPv4 Address192.168.254.102192.168.2.102
IPv4 Subnet Mask255.255.255.0255.255.255.0
IPv4 Default Gateway192.168.254.1192.168.2.1

    
   NOTE: ensure the Network Cable Connection shows ‘Connected’
    
2.Setup the local host file on each of the authentication manager instances in the deployment.
    
   Operations Console > Administration > Network > Hosts File > Add New
    

  
  • Add a hosts entry for the Microsoft Windows platform eth0 IP address and associated hostname
  • Add a hosts entry for the Microsoft Windows platform eth1 IP address and associated hostname
  • Add all of the authentication manager instance IP addresses and host names
    
   Example:
   User-added image
    
3.Using the Security Console on the primary instance add the eth1 IP addresses as Alternative IP Addresses for the authentication manager instance(s).
    
   Security Console > Setup > System Settings > under Advanced SettingsAlternative Instance IP Addresses > enter the eth1 IP address in the Alternative IP Address field.
    
   Example:
   User-added image
    
4.Perform an Automatic Rebalance using the Security Console on the primary instance.
    
   Security Console > Access > Authentication Agents > Authentication Manager Contact List > Automatic Rebalance > {click} Rebalance button.
    
   The primary and replica (or replicas) will appear in the Authentication Manager Contact Lists.
    
   Example:
   User-added image
    
5.Generate a Configuration Record using the Security Console on the primary instance.
    
   Security Console > Access > Authentication Agents > Generate Configuration File - {click} Generate Config File button and Download Now button.
    
   Example:
   User-added image
    
   NOTE: AM_Config.zip contains the sdconf.rec file used by RSA Authentication Agents and some third-party devices/software
    
   ** Copy the AM_Config.zip file on the Microsoft platform hosting the RSA Authentication Agent API for Java software.
    
6.Update (or add) the Authentication Agent in the Security Console.
    
   Security Console > Access > Authentication Agents > Manage Existing (or Add New) > Enter the Hostname of the agent, enter the IP Address from eth0 of the agent and enter eth1 IP address into Alternative IP Address
    
   Example:
   User-added image
    
7.For this example the RSA Authentication Agent API for Java has been unpacked into the C:\RSA\JavaAPI folder on the supported Microsoft platform.
    
   The example code is therefore found in the
C:\RSA\JavaAPI\examples\sample folder along with the rsa_api.properties, the configuration record (sdconf.rec) and sdopts.rec.
    
   rsa_api.properties

  
  • To use eth0: RSA_AGENT_HOST=192.168.254.120
  • To use eth1: RSA_AGENT_HOST=192.168.2.120
  • SDCONF_LOC=sdconf.rec
  • SDOPTS_LOC=sdopts.rec
    
   NOTE:
RSA_AGENT_HOST is an Override Host IP Address parameter, SDCONF_LOC is the location of sdconf.rec & SDOPTS_LOC is the location of sdopts.rec
    
   sdopts.rec
    
   It is important to include both eth0 & eth1 of the authentication manager instances into the sdopts.rec with
USESERVER as well as use CLIENT_IP=<agent_IPaddress> where 
<agent_IPaddress> is the appropriate IP address for either eth0 or eth1 (of the Microsoft platform hosting RSA Authentication Agent API for Java).
    
   Example:

  

     
CLIENT_IP=192.168.2.120

     
USESERVER=192.168.2.102,10

     
USESERVER=192.168.2.110,10

     
USESERVER=192.168.2.111,10

     
USESERVER=192.168.2.112,10

     
USESERVER=192.168.254.102,10

     
USESERVER=192.168.254.110,10

     
USESERVER=192.168.254.111,10

     
USESERVER=192.168.254.112,10

     

    
   NOTE: The sdopts.rec file is a text file that an administrator will manually create for an RSA Authentication Agent for manual load balancing. The sdopts.rec file is not generated by authentication manager or the agent.
    
   Appendix A: Configuring Automatic Load Balancing (page 79) of the RSA Authentication Agent 7.1 for Microsoft Windows Installation and Administration Guide and Appendix A: Configuring Automatic Load Balancing (page 81) of the RSA Authentication Agent 7.2 for Microsoft Windows Installation and Administration Guide provides information on how to use ‘sdopts.rec’ and describes a number of parameters that can be used in this ‘sdopts.rec’ file.
     

  
 
NotesRSA Authentication Agent API 8.1 Service Pack 3 for C and Java is available from RSA SecurCare Onine with a registered account from URL https://knowledge.rsasecurity.com/scolcms/set.aspx?id=10527 - updated January 2015.

Attachments

    Outcomes