000022886 - File information of sdconf.rec, sdopts.rec and sdstatus.12 files in RSA ACE/Server and RSA Authentication Manager

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000022886
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
IssueThis article provides file information on the sdconf.rec, sdopts.rec and sdstatus.12 files in RSA ACE/Server and RSA Authentication Manager.

The sdconf.rec file

The sdconf.rec file is an encrypted configuration record file that specifies how the agent is to communicate with the RSA Authentication Manager realm. The file specifies four servers by IP address: F
  • First, a replica server that can act as a version Legacy Master Server;
  • Second, a replica server that can act as a version Legacy Slave Server;
  • Third, the server on which the sdconf.rec file was prepared; and
  • Fourth, the primary Server in the realm.
For version 4.x agents, only the first two servers specified in the sdconf.rec are used. For version 5.x and 6.x agents, all of the servers can be used, but the first two IP addresses can also be specified as alternate IP addresses (aliases) which allow authentication requests to be sent to those servers through firewalls.
When an RSA administrator creates an sdconf.rec file for 5.x and 6.x agent(s), the actual IP addresses of all servers known to be in the realm (up to 11 in all), as well as up to three alias IP addresses for each server, are collected from the server database and compiled into a list known as the server list. One purpose of the list is to ensure that the agent can make its initial server connections. As the sdconf.rec file is generated, the server list is included with the other information in the file. After the file is created, an administrator must copy the sdconf.rec file to the agent for use by the agent.
NOTE: You do not have to replace an agent's sdconf.rec file. As long as the acting master and slave servers specified in each RSA agent's sdconf.rec file are still reachable by the 4.x agents, they will continue to function normally. In the case of 5.x and 6.x agents, you do not have to replace their sdconf.rec files because they obtain the latest Sserver list from any 5.x and 6.x server that validates their authentication requests.

The sdstatus.12 file

The sdstatus file is an encrypted internal record for the agent that specifies its last known status, including its settings for communicating with servers in the realm. It also contains a timestamp value for both the sdconf.rec and the sdopts.rec. When the agent starts, it immediately reads the sdstatus file to determine what has changed since the agent was last started. If neither the sdconf.rec nor the sdopts.rec has changed since the last startup, the agent will process authentication requests according to the information it reads in the sdstatus. If the agent determines that its sdstatus timestamp for the sdconf.rec no longer matches the timestamp of the sdconf.rec file, the agent reads the latest information into the sdstatus file from the new or changed sdconf.rec file and discards any previous sdstatus information. Any existing sdopts.rec priority setting information is also discarded because the sdconf.rec file has changed. If the agent determines that its sdstatus timestamp for sdopts.rec no longer matches the timestamp of the sdopts.rec file, the agent discards its previous sdstatus information and reads the latest information from the new or changed sdopts.rec file into sdstatus. After processing the sdstatus information, the agent waits for its first authentication request.

How the sdconf.rec and sdstatus.12 files are used by RSA agents

The RSA agent sends its first authentication request randomly to any of the servers listed in its sdconf.rec file. When a 5.x and 6.x server validates the request, the agent will request the latest server list from that server. After the server sends its latest list to the agent, the agent stores the list information in its sdstatus file.

The sdopts.rec file

The agent also checks the IP addresses of servers specified in its sdopts.rec file against this latest server list. Each server specified in sdopts.rec must be listed by IP address in either the sdconf.rec file or on the server list. Otherwise, the server is considered by the agent to be an unknown server that cannot receive authentication requests. A message is also recorded about the server with status of Unknown in the trace log on the agent host.
As it checks the IP addresses, the agent will set its server priorities based on the those specified by the USESERVER or AVOIDSERVER keywords in the sdopts.rec file,which have been copied to sdstatus. If those keywords are not present, the agent computes priorities by comparing server response times, as found in sdstatus. Thereafter, the agent sends authentication requests based on its set priorities until the next time the agent is restarted.
The ALIASES keyword in the sdopts.rec file helps a version 5.x and 6.x  agent make successful network connections to the ACE/Server or Authentication Manager server when authentication requests must be sent to those servers through firewalls. The agent checks the alternate IP addresses (aliases) specified in the sdopts.rec file against its latest server list. If the aliases are valid, the agent will send authentication requests to those aliases, in addition to the alias IP addresses specified in sdconf.rec and on the server list.
For more information, see the following solutions:
  • How to configure RSA ACE/Agent and Authentication Agent through firewalls using Network Address Translation (NAT) and ALIAS
  • How to set an IP address override for an RSA ACE/Agent and RSA Authentication Agent
Legacy Article IDa2753