000020974 - How to manually create and deliver a node secret file

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020974
Applies ToRSA ACE/Server 5.1 (no longer supported as of 7-14-2006)
RSA ACE/Server 5.2
Microsoft Windows
UNIX
IssueHow to manually create and deliver a node secret file
CauseIf you choose to send the node secret manually, you must prompt the Server to create the node secret. You then deliver the node secret to the Agent Host (e.g. on a disk) and use the Node Secret Load utility to load the node secret onto the Agent Host. The node secret is password protected. When you run the Node Secret Load utility on the Agent Host, the utility decrypts the node secret file, renames the file after the authentication service name (usually securid), then stores the renamed file in the %SYSTEMROOT%\system32 directory on Windows machines and the ACEDATA directory on UNIX machines.
- 4.4.x and later Agents copy the renamed node secret file from the %SYSTEMROOT%\system32 directory to the system registry and delete it from the %SYSTEMROOT%\system32 directory
- Legacy Agents (other than 4.4.x) leave the renamed node secret file in the%SYSTEMROOT%\system32 directory
- All UNIX Agents leave the renamed node secret file in the in the ACEDATA directory
ResolutionTo manually create and deliver a node secret file, follow these steps:
1. Click Agent Host --> Add (or Edit) Agent Host and click Create Node Secret.
2. In the Password box, type a password and retype it in the Confirm Password box
3. If you want to save the node secret file under the default name and directory, click OK. The node secret file is created in the default directory using the default name nodesecret.rec. The default directory is ACEPROG until you specify a different directory, in which case the directory you specify becomes the default directory until you restart the Database Administration application.
4. If you want to save the file under a different name, click Browse, and in the Node Secret Filename Specification dialog box, change the name and directory, then click Save. If a node secret file with the same name exists in the specified directory, click Yes to overwrite it, or click No to return to the Node Secret Filename Specification dialog box. When you click Yes, the node secret file is created using the name and directory you specify. In the Add (or Edit) Agent Host dialog box, the Create Node Secret File button is grayed out, and Node Secret Created is checked.
5. Click OK
6. Copy the new node secret file and the Load Node Secret utility to the Agent Host. The Load Node Secret utility loads the new node secret file into the Agent Host. RSA Security provides four platform-specific versions (Windows, Solaris, HP-UX, and IBM AIX) of the utility (agent_nsload) on the RSA ACE/Server CD.
7. On the Agent Host, run the Load Node Secret utility. On the command line prompt, type:
agent_nsload ?f path ?p password
where path is the directory location and name of the node secret file, and password is the password used to protect the node secret file.
NOTE:  When the agent_nsload command runs successfully you will see the following.
Loading Node Secret...
The node secret is successfully loaded.
On Windows Systems a securid file is created in  C:\WINNT\System32  or C:\Windows\System32 which is all that is needed for pre 5.0 agents.  For 5.0 and above, the registry key must be created in order for the node secret to be established.  The registry key for the node secret will not be created until the next successful authentication  or the next time the Administrator opens up the control panel, selects the ACE/Agent, selects Test Authentication, and selects RSA ACE/Server Test Directly.  At this point the C:\WINNT\securid or C:\Windows\securid file is removed and the node secret is created in the registry at HKEY_LOCAL_MACHINE/SOFTWARE/SDTI/ACECLIENT.
Legacy Article IDa19788

Attachments

    Outcomes