|Applies To||Apache 7.0 agent for Unix|
|Issue||7./0 Apache Web Agent for Securid/Auth Manager 7.X on Unix - why is RPC required?|
If you choose to turn off the RPC listener on port 111, the agent will not function properly and can fail to install. RPC, in fact, is a required component for the Apache agent.
Web server filters and extensions are typically written by programmers as a way of creating dynamic HTML or other business related code. For this reason, it has become more and more dangerous to run these programs within the web server processes themselves. Servers have crashed because of coding errors, and inefficient filters can cause huge performance bottlenecks. For this reason, these programs can potentially be run out of process in multiple processes, which can become a serious issue if the agent cannot override this methodology to at least cause RSA filers to run in single process.
In support of this the methodoldy, a process called "Kernel Queuing" is used to route requests to the web interface by selecting the single process to use. If the agent sends a prompt to get a new PIN, then a socket will be held by the RSA Server corresponding to the Handle that is retrieved from the Browse. But that handle will be invalid if it is retrieved by the RSA server in another process.
To mitigate this problem, a standalone process has been developed to handle the RSA communications. In the UNIX versions of the Apache agent, an RPC interface has been developed to handle this case.
While there is a reference on page 16 of the webagent_apache.pdf for 7.0 agent, page 16 which states:
Installing the Web Agent:
The rpc service allows the different Apache processes to communicate. For operations such as New PIN and Next Tokencode mode, different portions of the operation may be handled by different Apache processes. If these processes cannot communicate via the aceapi_rpc_server, then these two step authentications will fail.
rpc MUST be running
[root@badboy uninstall]# rpcinfo -p localhost
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 745 status
100024 1 tcp 748 status
100021 1 udp 32768 nlockmgr
100021 3 udp 32768 nlockmgr
100021 4 udp 32768 nlockmgr
100021 1 tcp 32770 nlockmgr
100021 3 tcp 32770 nlockmgr
100021 4 tcp 32770 nlockmgr
If it comes back program not registered or connection refused, correct that before trying again
|Legacy Article ID||a49357|