- Offline days are not refreshing on RSA Authentication Agent 7.2.1  for Windows with Authentication Manager 8.1 SP1 or later versions.
- Offline days refresh fails with the follwong message:
DaSvcProofDownloader::processDLTicket: receiver failed.
- The problem may be intermittent.
- The workaround may be to delete all offline days.
Engineering has been looking into various offline authentication (OA) or Disconnected Authentication (DA) problems with RSA Authentication Agent 7.2.1. Invalid proof errors have been fixed in 7.2.1.
The /opt/rsa/am/server/logs/imsTrace.log will list repeating capital As (as shown below), which could be indicative of a bad or corrupt server.cer file on the agent. The server.cer file contains the public key used to encrypt traffic from the agent to the Authentication Manager server, typically on TCP port 5580.
The exact symptom looks like the log snippet below from the DAService(da_svc).log file that is written on the Windows agent machine when verbose logging enabled:
.ServerList, INFO, myserver.domain.com,,,,Server list is: |AAAAAgAAAABBNzBUQ1JQUEFDRTAxLmE3MGFkb20uYmNic3NjLmNvbQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAA. . . repeating As until end. . .
AAAA= Agent number of retries: 5
Agent time-out between retries: 5
Authentication port: 5500
Authentication service: "securid"
2016-04-05 17:34:21,586, [AutoRegConnectionHandler2], (AutoRegSessionImpl.java:135), trace.com.rsa.authmgr.internal.agentreg.msgprocessor.AutoRegSessionImpl,
INFO, myserver.domain.com,,,,SSL handshake fails:
javax.net.ssl.SSLException: MAC data does not match.
Replace the server.cer
Replace the server.cer in one of two ways:
- Replace the C:\Program Files\RSA\RSA Authentication Agent\Agenthost Autoreg Utility\server.cer file on the Windows 7.2.1 agent with the server.cer from another agent machine.
- Obtain a valid new copy from the Security Console by navigating to Access > Authentication Agents > Download Server Certificate File.
- Download the new certificate. From Windows File Manager the file will be 1kb in size, but from the command prompt it should show a file size of around 637 bytes.
- Replace the existing server.cer in C:\Program Files\RSA\RSA Authentication Agent\Agenthost Autoreg Utility with the one downloaded above.
- Reboot so the new certificate will take effect.
- On the Authentication Manager primary, open the Real Time Authenitcation Activity Monitor (Reporting > Real Time Activity Monitors > Authentication Activity Monitor and click Start Monitor.
- Perform a few successful test authentications in the RSA Control Center to ensure the agent is working, then test OA.
|Notes||To enable agent verbose logging in the RSA Control Center,|
- Log in as an administrator.
- From Home, select Advanced Tools.
- Select Tracing.
- On the Tracing page, set the Trace Level to Verbose.
- Use the default trace file destination folder or click Browse to select a different location.
- For Selected Components, check Select All.
- When done, click OK.