000027479 - 7./0 Apache Web Agent for Securid/Auth Manager 7.X on Unix - why is RPC required?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000027479
Applies ToApache 7.0 agent for Unix
Issue7./0 Apache Web Agent for Securid/Auth Manager 7.X on Unix - why is RPC required?
If you choose to turn off the RPC listener on port 111, the agent will not function properly and can fail to install.  RPC, in fact, is a required component for the Apache agent.
Resolution

Web server filters and extensions are typically written by programmers as a way  of creating dynamic HTML or other business related code.  For this reason,  it has become more and more dangerous to run these programs within the  web server processes themselves.  Servers have crashed because of coding errors, and inefficient filters can cause huge performance bottlenecks.  For this reason, these programs can potentially be run out of process in multiple processes, which can become a serious issue if the agent cannot override this methodology to at least cause RSA filers to run in single process.

In support of this the methodoldy, a process called "Kernel Queuing" is used to route requests  to the web interface by selecting the single process to use.  If the agent sends  a prompt to get a new PIN, then a socket will be held by the RSA Server  corresponding to the Handle that is retrieved from the Browse.  But that  handle will be invalid if it is retrieved by the RSA server in another process.  

To mitigate this problem, a standalone process has been developed to handle the RSA communications.  In the UNIX versions of the Apache agent, an RPC interface has been developed to handle this case.

Notes

While there is a reference on page 16 of the webagent_apache.pdf for 7.0 agent, page 16 which states:

Installing the Web Agent:
Before you install the Web Agent, ensure that the rpc server is running.

The rpc service allows the different Apache processes to communicate.  For operations such as New PIN and Next Tokencode mode, different portions of the operation may be handled by different Apache processes.  If these processes cannot communicate via the aceapi_rpc_server, then these two step authentications will fail.


check RPC

 rpc MUST be running

 

[root@badboy uninstall]# rpcinfo -p localhost

   program vers proto   port

    100000    2   tcp    111  portmapper

    100000    2   udp    111  portmapper

    100024    1   udp    745  status

    100024    1   tcp    748  status

    100021    1   udp  32768  nlockmgr

    100021    3   udp  32768  nlockmgr

    100021    4   udp  32768  nlockmgr

    100021    1   tcp  32770  nlockmgr

    100021    3   tcp  32770  nlockmgr

    100021    4   tcp  32770  nlockmgr

 

If it comes back program not registered or connection refused, correct that before trying again

 

Legacy Article IDa49357

Attachments

    Outcomes