000030856 - Configure the RSA Authentication Agent API for Java on a supported platform with two network card interfaces (NIC)

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jan 9, 2020
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000030856
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Agent API for Java 
RSA Version/Condition: 8.x
Platform: Microsoft Windows 
IssueSample code for the RSA Authentication Agent API for Java successfully authenticates and then fails authentication.  Unexpected results occur where a fixed passcode is used to authenticate a test account called 'rsatest':

Username: rsatest
Passcode: 12345678
Passcode Accepted
Authentication successful
Continue? [y/n] y
Username: rsatest
Passcode: 12345678
Access Denied
Passcode: 12345678
Access Denied
Passcode: 12345678
Access Denied
Authentication incomplete
Continue? [y/n]


 
Resolution

This article assumes that RSA Authentication Manager software has already been deployed as a primary instance, with or without replica instances in a deployment and that RSA Authentication Agent API for Java sample code has been compiled and ready to use.


 

Environment



  • Two separate networks with no routing between them.
  • RSA Authentication Manager primary instance eth0 is configured on one network and eth1 is configured on the second network.
  • Microsoft Windows platform with two network card interfaces (NICs), where each NIC is connected to the two networks hosting the RSA Authentication Agent API for Java (for this example, 2k8r2-agent) .


Network diagram


User-added image

 Steps



  1. Ensure the RSA Authentication Manager instance eth0 and eth1 interfaces are correctly set up in the Operations Console (Administration > Network > Appliance Network Settings.  An example on the primary is as follows:



 eth0eth1
IPv4 address192.168.254.102192.168.2.102
IPv4 subnet mask255.255.255.0255.255.255.0
IPv4 default gateway192.168.254.1192.168.2.1


Ensure the Network Cable Connection shows as connected.


  1. Set up the local host file on each of the Authentication Manager instance in the deployment.  From the Operations Console,
    1. Navigate to Administration > Network > Hosts File > Add New.
    2. Add hosts entry for the Microsoft Windows platform eth0 IP address and associated hostname.
    3. Add hosts entry for the Microsoft Windows platform eth1 IP address and associated hostname.
    4. Add all of the Authentication Manager instance IP addresses and hostnames.

For example,


User-added image


  1. Using the Security Console on the primary instance, add the eth1 IP addresses as Alternative IP Addresses for the Authentication Manager instance(s). Navigate to Setup > System Settings. Under Advanced Settings > Alternative Instance IP Addresses, enter the eth1 IP address in the Alternative IP Address field, as shown here:

User-added image
 


  1. Perform an automatic rebalance using the Security Console on the primary instance (Access > Authentication Agents > Authentication Manager Contact List > Automatic Rebalance.  Click Rebalance).  The primary and replica (or replicas) will appear in the Authentication Manager Contact Lists.  For example:

User-added image


  1. Generate a configuration record (Access > Authentication Agents > Generate Configuration File.  Click Generate Config File then click the Download Now button. Copy the AM_Config.zip file on the Microsoft platform hosting the RSA Authentication Agent API for Java software.

User-added image


  1. Update (or add) the Authentication Agent in the Security Console (Access > Authentication Agents > Manage Existing (or Add New).  Enter the host name of the agent, enter the IP address from eth0 of the agent and enter the eth1 IP address into Alternative IP Address.

User-added image


  1. For this example the RSA Authentication Agent API for Java has been unpacked into the C:\RSA\JavaAPI folder on the supported Microsoft platform.  The example code is therefore found in the C:\RSA\JavaAPI\examples\sample folder along with the rsa_api.properties, the configuration record (sdconf.rec) and sdopts.rec.

rsa_api.properties



  • To use eth0: RSA_AGENT_HOST=192.168.254.120
  • To use eth1: RSA_AGENT_HOST=192.168.2.120
  • SDCONF_LOC=sdconf.rec
  • SDOPTS_LOC=sdopts.rec

NOTE:
RSA_AGENT_HOST is an override host IP address parameter.
SDCONF_LOC is the location of sdconf.rec and SDOPTS_LOC is the location of sdopts.rec.

 

sdopts.rec



It is important to include both eth0 and eth1 of the Authentication Manager instances into the sdopts.rec with USESERVER, as well as use CLIENT_IP=<agent_IP_address> where <agent_IP_address> is the appropriate IP address for either eth0 or eth1 (of the Microsoft platform hosting RSA Authentication Agent API for Java).


 



CLIENT_IP=192.168.2.120
USESERVER=192.168.2.102,10
USESERVER=192.168.2.110,10
USESERVER=192.168.2.111,10
USESERVER=192.168.2.112,10
USESERVER=192.168.254.102,10
USESERVER=192.168.254.110,10
USESERVER=192.168.254.111,10
USESERVER=192.168.254.112,10



The sdopts.rec file is a text file that an administrator will manually create for an RSA Authentication Agent for manual load balancing. The sdopts.rec file is not generated by Authentication Manager or the agent.


NotesAppendix A: Configuring Automatic Load Balancing (page 75) of the RSA Authentication Agent 7.4 for Microsoft Windows Installation and Administration Guide provides information on how to use the sdopts.rec and describes a number of parameters that can be used in this file.

Attachments

    Outcomes