000032022 - Backup restore from different Authentication Manager 8.x breaks Agent API 8.5 agents including Via Access

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000032022
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0
Platform: VMware
O/S Version: ESXi 5.0
 
Issue

After restoring a Backup from another AM server in the Operations console, existing agent API ver. 8.5 agents, which uses TCP (Transmission Control Protocol) port 5500, do not work and Nothing shows in AM authentication logs, no authentication request is sent from the AM agent API 8.5 to the AM server.
imstrace.log file set to verbose

 


2015-11-17 19:34:50,954, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'],
(AgentConfigPolicyAdministrationImpl.java:17), trace.com.rsa.authmgr.internal.admin.configmgt.impl.AgentConfigPolicyAdministrationImpl,
DEBUG, rsa8.<domain>.com.local,,,,
Processing request for agent configuration.

 
2015-11-17 19:34:50,954, [[ACTIVE] ExecuteThread: '0' for queue:
'weblogic.kernel.Default (self-tuning)'],
(AgentConfigPolicyAdministrationImpl.java:17),
trace.com.rsa.authmgr.internal.admin.configmgt.impl.AgentConfigPolicyAdministrationImpl,
DEBUG, rsa8.<domain>.com.local,,,,
Agent with the given name: 192.168.1.251 was found.

  
2015-11-17 19:34:50,955, [[ACTIVE] ExecuteThread: '0' for queue:
'weblogic.kernel.Default (self-tuning)'], (DataObjectAccessSql.java:932),
trace.com.rsa.authmgr.internal.admin.common.dal.sql.DataObjectAccessSql, INFO, rsa8
<domain>.com.local,,,,
Executing HQL: select dataObject from com.rsa.authmgr.internal.admin.configmgt.dal.AgentConfigPolicy as dataObject where dataObject.realmDefault = :param1

  
2015-11-17 19:34:50,956, [[ACTIVE] ExecuteThread: '0' for queue:
'weblogic.kernel.Default (self-tuning)'], (AgentConfigPolicyAdministrationImpl.java:17),
trace.com.rsa.authmgr.internal.admin.configmgt.impl.AgentConfigPolicyAdministrationImpl,
DEBUG, rsa8.<domain>.com.local,,,,
Agent configuration update is required for agent 192.168.1.251 as a new copy was found.
Cause

If you import/Restore a database from another AM 8.x Server, this will;
1. Change your internal DB Super admin account and password to the AM 8.1 instance the backup came from
2. Change your ocadmin account and password to that of the AM 8.1 instance the backup came from
3. Add an inactive console Certifcate from the the AM 8.1 instance the backup came from, including Root CA. So you consoles will work, but your accounts have changed
4. Change the Agent Cert in Security Console - Setup - System - Agents, IPv6 here: the agents Certs are from the new database, from the AM 8.1 instance the backup came from
5. Any existing API 8.5 agents (including Via Access) that existed before the database restore will no longer work because they are encrypting with the original AM agent certs, so the agent will not be able to build the SSL connection and therefore will not send any authentication requests
6. Any sdconf.rec generated from now on will contain the Root CA from the AM 8.1 instance the backup came from

 

ResolutionTo get your old Agent API 8.5 agents to work generate and download a new sdconf.rec for each of those agents.  I updated the Setup - System - Agents, IPv6, even though no changes were made, and still got Success green. Or you may need to autoRebalance to be safe.
WorkaroundIf you do not want the new API 8.5 agents from the imported/restored database, you could import the original agent Agent Certificate back into your AM 8.1 Server.
NotesThe Root CA (Certificate Authority) Cert is included in the sdconf.rec file, and is used by Agent API v. 8.5 agents, that is the TCP 5500 authentication traffic (including Via Access agents) instead of the old UDP 5500 authentication traffic 
When you restore one AM 8.1 database to another AM 8.1 server, there is a confusion over which Root CA to use in the sdconf.rec, the one originally created at deployment, or the one in the restored backup. Therefore restoring an AM 8.1 backup from another system breaks any TCP 5500 port Agent API 8.5 type traffic 
To fix this situation, you must extract the Root CA cert from the original AM 8.1 backup, and import it into the new AM 8.1 Server Security Console - Setup - System - Agents. At the top of this page is 
SC-Setup-System-Agents-ClickHere
To configure agents using IPV6, click here 
Click on the link here
Scroll down to bottom of page, under Existing Certificate DetailsExisting Certificate Details 
Existing Certificate Details
You can see the current Root CA info from the original Deployment of this AM server 
You can import Certificate of the New Primary Server:: [Choose File] to import the original Root CA 
Note: Screen says
'(Use for migrating the agents to the new deployment)' This is vaguely documented in ADmin 8.1 Guide, under Configure an IPv4/IPv6 Agent, where it says 8. (Optional) In the Import Certificate of the New Primary Server field, click Browse to locate and import a new root certificate. 
Note: You are required to import a new root certificate only if you are migrating agents to a new deployment. This feature supports migrations from RSA Authentication Manager 8.0 to future versions of Authentication Manager. 
To obtain a Root CA from the original AM 8.1 Server, use openssl with the -showcerts option, even from itself in SSH 

 
openssl s_client -showcerts -connect <name_IPaddr>:7004 

-showcerts
Copy and paste the Cert into NotePad and save as a .cer file, make sure it has the
-----BEGIN CERTIFICATE-----  at the top, 1st line 
and add
-----END CERTIFICATE-----  at the bottom, as the last line, like this:
  • edit sdconf.rec with NotePad++ 
  • Scroll down past the encrypted characters to botton, enable word Wrap 
  • Look for delimiter with X509 in it 
 
xmlns:bootstrap="http://www.rsa.com/schemas/2008/05/CommonAPI/bootstrap"><bootstrap:ServiceKeys><bootstrap:X509Certificate>


In between the start <bootstrap:X509Certificate> 
and stop </bootstrap:X509Certificate> 
is the Certificate, copy it to buffer 

 
MIIDnjCCAoagAwIBAgIQi8nZ9+145MSlQkXpRic/
AjANBgkqhkiG9w0BAQUFADB/
MTIwMAYDVQQDDClSU0Egcm9vdCBDQSBmb3Igam11bHNtYW4tdm0xMTUubmEucnNhLm5ldDFJMEcGA1UEBRNANjVjMTMzMTk3MjMwNjMxNWQ4NmUyNjE3NGZiZjNkZDFlYWIzNjBlNDc3OTAxNTRkNWJhNjljZTg4NGRhYjkwZDAeFw0xNDA4MjcxNDUzMjRaFw0zNzAxMDEwNTAwMDBaMH8xMjAwBgNVBAMMKVJTQSByb290IENBIGZvciBqbXVsc21hbi12bTExNS5uYS5yc2EubmV0MUkwRwYDVQQFE0A2NWMxMzMxOTcyMzA2MzE1ZDg2ZTI2MTc0ZmJmM2RkMWVhYjM2MGU0Nzc5MDE1NGQ1YmE2OWNlODg0ZGFiOTBkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Sh9lh1nCH6/
eAAt4C+buA3YCd+WPyPwS/
ym8bi2Xt9la0llEMqd1XuQknQQRdOU8A9Mlr8T8y2Imj8NCkTgcXcseoFnRoPImmL6Ch/
4f175xc61569boZIXa7MoGj7tIHG6TQ54xfiGoT/SF1OMTqUJ8K/h1ysFfioORFPcX2llsBdZoLrMTjSs/
vaGzNVPp684822W4I1Peiaa0o1ppimZICF3fIa0jAQUlXUDI2mo0ULayPgl3czQgOIZ5z13hM3CV0buTnUqJTu5mEvqASIZripMtZw13eNkUhC7b3185zCXHVlVd1fE3QMGyaMi6cJdKhu8JZw/
JRYGlbRNywIDAQABoxYwFDASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBBQUAA4IBAQCbcxIUdpcUVgkeq4qEmagFaOavzDhpBbiAGxPv4F3dWOsHSyq4sykWRe4simwTSxEQnXO5vgOb/
9Fsed6Fb5qxIdCpYkoweURVeJ6aBhqzmWq0nSb7X2nT7Ft26tydVWRD+YYkPOJYLGrMxthtaU0zwjBtHs+IThfxLR1cLRFIpJCbHa1FtVSQetoxAYry/
ZuXjh8FkktBgW6BNR7lfwK6Bzcyjflya9OPkwOUoWNqC1YkbgsEYkLGmKaYEt2/
a698IrwrzfRR8hsN346XFMVhFd+CIz2Fn37NyCE0BMF3bq7h3x8QPDcZochs0PUn2DRTeFHyWF7M7LNVj3oJ3JOp


Paste into NotePad, add -----BEGIN CERTIFICATE----- at the top, 1st line and add -----END CERTIFICATE-----  at the bottom, as the last line, like this 
-----BEGIN CERTIFICATE----- 
MIIDnjCCAoagAwIBAgIQi8nZ9+145MSlQkXpRic/AjANBgkqhkiG9w0BAQUFADB/
MTIwMAYDVQQDDClSU0Egcm9vdCBDQSBmb3Igam11bHNtYW4tdm0xMTUubmEucnNhLm5ldDFJMEcGA1UEBRNANjVjMTMzMTk3MjMwNjMxNWQ4NmUyNjE3NGZiZjNkZDFlYWIzNjBlNDc3OTAxNTRkNWJhNjljZTg4NGRhYjkwZDAeFw0xNDA4MjcxNDUzMjRaFw0zNzAxMDEwNTAwMDBaMH8xMjAwBgNVBAMMKVJTQSByb290IENBIGZvciBqbXVsc21hbi12bTExNS5uYS5yc2EubmV0MUkwRwYDVQQFE0A2NWMxMzMxOTcyMzA2MzE1ZDg2ZTI2MTc0ZmJmM2RkMWVhYjM2MGU0Nzc5MDE1NGQ1YmE2OWNlODg0ZGFiOTBkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Sh9lh1nCH6/
eAAt4C+buA3YCd+WPyPwS/ym8bi2Xt9la0llEMqd1XuQknQQRdOU8A9Mlr8T8y2Imj8NCkTgcXcseoFnRoPImmL6Ch/
4f175xc61569boZIXa7MoGj7tIHG6TQ54xfiGoT/SF1OMTqUJ8K/h1ysFfioORFPcX2llsBdZoLrMTjSs/
vaGzNVPp684822W4I1Peiaa0o1ppimZICF3fIa0jAQUlXUDI2mo0ULayPgl3czQgOIZ5z13hM3CV0buTnUqJTu5mEvqASIZripMtZw13eNkUhC7b3185zCXHVlVd1fE3QMGyaMi6cJdKhu8JZw/
JRYGlbRNywIDAQABoxYwFDASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBBQUAA4IBAQCbcxIUdpcUVgkeq4qEmagFaOavzDhpBbiAGxPv4F3dWOsHSyq4sykWRe4simwTSxEQnXO5vgOb/
9Fsed6Fb5qxIdCpYkoweURVeJ6aBhqzmWq0nSb7X2nT7Ft26tydVWRD+YYkPOJYLGrMxthtaU0zwjBtHs+IThfxLR1cLRFIpJCbHa1FtVSQetoxAYry/
ZuXjh8FkktBgW6BNR7lfwK6Bzcyjflya9OPkwOUoWNqC1YkbgsEYkLGmKaYEt2/
a698IrwrzfRR8hsN346XFMVhFd+CIz2Fn37NyCE0BMF3bq7h3x8QPDcZochs0PUn2DRTeFHyWF7M7LNVj3oJ3JOp


-----END CERTIFICATE----- 
Save as .cer file type. Open with Microsoft Crypto Shell Extensions to read this Cert info, or optionally paste into a Certificate tool web site.

Attachments

    Outcomes