000032264 - When running the RSA SecurID Authentication Agent for PAM's acetest utility, getting error:  Cannot Do AceInitialize for communication with ACE/Server

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jan 24, 2018
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000032264
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:   Authentication Agent for PAM
IssueWhen testing authentication with the acetest and acestatus utilities, the following errors appear:

[root@rh 64bit]# ./acetest
Cannot Do AceInitialize for communication with ACE/Server.
[root@rh 64bit]# ./acestatus
Error can't connect to ACE/Server
TasksUse strace to trace the system IO that acetest and acestatus utilities will access.
ResolutionTo run strace,  SSH to the box where the PAM agent is installed and run the following command:

[root@rh 64bit]# strace ./acetest
........
stat("/var/ace/sdconf.rec", 0x7fffd238fd10) = -1 ENOENT (No such file or directory)
open("/etc/localtime", O_RDONLY)        = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4587b1000
read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 3519
lseek(3, -2252, SEEK_CUR)               = 1267
read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"..., 4096) = 2252
close(3)                                = 0
munmap(0x7fb4587b1000, 4096)            = 0
socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 3
connect(3, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0
sendto(3, "<11>Dec 22 19:21:13 acetest: ACE"..., 93, MSG_NOSIGNAL, NULL, 0) = 93
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4587b1000
write(1, "Cannot Do  AceInitialize for com"..., 60Cannot Do  AceInitialize for communication with ACE/Server.
) = 60

In this particular case, the agent cannot communicate with the authentication server because the acetest utility cannot locate the sdconf.rec file in /var/ace.
To resolve the issue, generate a new sdconf.rec on the Authentication Manager server (Access > Authentication Agents > Generate Configuration File > Generate Config File) and place it on the box with the PAM agent in the directory listed in the error output generated after running the strace then rerun acetest.. 

Attachments

    Outcomes