|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0
O/S Version: ESXi 5.0
After restoring a Backup from another AM server in the Operations console, existing agent API ver. 8.5 agents, which uses TCP (Transmission Control Protocol) port 5500, do not work and Nothing shows in AM authentication logs, no authentication request is sent from the AM agent API 8.5 to the AM server.
2015-11-17 19:34:50,954, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'],
2015-11-17 19:34:50,954, [[ACTIVE] ExecuteThread: '0' for queue:
2015-11-17 19:34:50,955, [[ACTIVE] ExecuteThread: '0' for queue:
2015-11-17 19:34:50,956, [[ACTIVE] ExecuteThread: '0' for queue:
If you import/Restore a database from another AM 8.x Server, this will;
|Resolution||To get your old Agent API 8.5 agents to work generate and download a new sdconf.rec for each of those agents. I updated the Setup - System - Agents, IPv6, even though no changes were made, and still got Success green. Or you may need to autoRebalance to be safe.|
|Workaround||If you do not want the new API 8.5 agents from the imported/restored database, you could import the original agent Agent Certificate back into your AM 8.1 Server.|
|Notes||The Root CA (Certificate Authority) Cert is included in the sdconf.rec file, and is used by Agent API v. 8.5 agents, that is the TCP 5500 authentication traffic (including Via Access agents) instead of the old UDP 5500 authentication traffic |
When you restore one AM 8.1 database to another AM 8.1 server, there is a confusion over which Root CA to use in the sdconf.rec, the one originally created at deployment, or the one in the restored backup. Therefore restoring an AM 8.1 backup from another system breaks any TCP 5500 port Agent API 8.5 type traffic
To fix this situation, you must extract the Root CA cert from the original AM 8.1 backup, and import it into the new AM 8.1 Server Security Console - Setup - System - Agents. At the top of this page is
To configure agents using IPV6, click here
Click on the link here
Scroll down to bottom of page, under Existing Certificate DetailsExisting Certificate Details
You can see the current Root CA info from the original Deployment of this AM server
You can import Certificate of the New Primary Server:: [Choose File] to import the original Root CA
Note: Screen says '(Use for migrating the agents to the new deployment)' This is vaguely documented in ADmin 8.1 Guide, under Configure an IPv4/IPv6 Agent, where it says 8. (Optional) In the Import Certificate of the New Primary Server field, click Browse to locate and import a new root certificate.
Note: You are required to import a new root certificate only if you are migrating agents to a new deployment. This feature supports migrations from RSA Authentication Manager 8.0 to future versions of Authentication Manager.
To obtain a Root CA from the original AM 8.1 Server, use openssl with the -showcerts option, even from itself in SSH
openssl s_client -showcerts -connect <name_IPaddr>:7004
Copy and paste the Cert into NotePad and save as a .cer file, make sure it has the -----BEGIN CERTIFICATE----- at the top, 1st line
and add -----END CERTIFICATE----- at the bottom, as the last line, like this:
In between the start <bootstrap:X509Certificate>
and stop </bootstrap:X509Certificate>
is the Certificate, copy it to buffer
Paste into NotePad, add -----BEGIN CERTIFICATE----- at the top, 1st line and add -----END CERTIFICATE----- at the bottom, as the last line, like this
Save as .cer file type. Open with Microsoft Crypto Shell Extensions to read this Cert info, or optionally paste into a Certificate tool web site.