000032860 - Offline days not refreshing on RSA Authentication Agent 7.2.1 [101] for Windows with Authentication Manager 8.1 SP1 or later versions

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jan 21, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000032860
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.2.1[101]
Platform: Windows
O/S Version: 7 Professional (64-bit)
  • Offline days are not refreshing on RSA Authentication Agent 7.2.1 [101] for Windows with Authentication Manager 8.1 SP1 or later versions.
  • Offline days refresh fails with the follwong message:

DaSvcProofDownloader::processDLTicket: receiver failed.  

  • The problem may be intermittent.
  • The workaround may be to delete all offline days.

Engineering has been looking into various offline authentication (OA) or Disconnected Authentication (DA) problems with RSA Authentication Agent 7.2.1.   Invalid proof errors have been fixed in 7.2.1[101].
The /opt/rsa/am/server/logs/imsTrace.log will list repeating capital As (as shown below), which could be indicative of a bad or corrupt server.cer file on the agent.  The server.cer file contains the public key used to encrypt traffic from the agent to the Authentication Manager server, typically on TCP port 5580. 

The exact symptom looks like the log snippet below from the DAService(da_svc).log file that is written on the Windows agent machine when verbose logging enabled:

AAAA= Agent number of retries: 5  
 Agent time-out between retries: 5  
 Authentication port: 5500  
 Authentication service: "securid"
2016-04-05 17:34:21,586, [AutoRegConnectionHandler2], (AutoRegSessionImpl.java:135), trace.com.rsa.authmgr.internal.agentreg.msgprocessor.AutoRegSessionImpl,
INFO, myserver.domain.com,,,,SSL handshake fails:
javax.net.ssl.SSLException: MAC data does not match.

CauseThis error is due to a corrupt server.cer on the Windows agent machine.

Replace the server.cer

Replace the server.cer in one of two ways:

  1. Replace the C:\Program Files\RSA\RSA Authentication Agent\Agenthost Autoreg Utility\server.cer file on the Windows 7.2.1[101] agent with the server.cer from another agent machine.


  1. Obtain a valid new copy from the Security Console  by navigating to Access > Authentication Agents > Download Server Certificate File.



  1. Download the new certificate.  From Windows File Manager the file will be 1kb in size, but from the command prompt it should show a file size of around 637 bytes. 

There was a known issue with Authentication Manager 7.1 where the certificate download tacks onto the end of the certificate an additional 52 KB of HTML with embedded JavaScript. This has not been causing an issue with the Authentication Agent 7.2 for Windows but is an issue for the newer Authentication Agent 7.3 for Windows, which uses TLSv1.2 as its SSL protocol.  This should be no problem with Authentication Manager  8.1 SP1.

  1. Replace the existing server.cer in C:\Program Files\RSA\RSA Authentication Agent\Agenthost Autoreg Utility with the one downloaded above.
  2. Reboot so the new certificate will take effect.
  3. On the Authentication Manager primary, open the Real Time Authenitcation Activity Monitor (Reporting > Real Time Activity Monitors > Authentication Activity Monitor and click Start Monitor.
  4. Perform a few successful test authentications in the RSA Control Center to ensure the agent is working, then test OA.
WorkaroundClear all offline days and then logon.
NotesTo enable agent verbose logging in the RSA Control Center,
  1. Log in as an administrator.
  2. From Home, select Advanced Tools.
  3. Select Tracing.
  4. On the Tracing page, set the Trace Level to Verbose.
  5. Use the default trace file destination folder or click Browse to select a different location.
  6. For Selected Components, check Select All.
  7. When done, click OK.