000031557 - Users cannot perform Next Tokencode Mode (NTCM) or New Pin Mode (NPM) authenticating with IBM WebSeal in RSA Authentication Manager 6.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031557
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 6.1
Platform: IBM WebSEAL 6.1.1.x
Platform (Other): IBM Security Access Manager (formerly called IBM Tivoli Access Manager)
IssueUsers cannot perform Next Tokencode Mode (NTCM) or New Pin Mode (NPM) authenticating with IBM WebSeal.
Normal authentications work fine. 
Underlying WebSeal is the RSA PAM agent. NTCM and NPM work fine with the PAM acetest utility.
Therefore, the problem is specific to using WebSEAL.
CauseIBM WebSEAL is not configured to maintain the session setting needed for RSA Agent API to complete multi-transactions (NTCM and NPM).
ResolutionTo resolve the issue, follow the steps below.
  1. Create a new setting in the WebSEAL configuration.
    create-unauth-sessions = yes

  2. Restart the WebSEAL application.
This will allow for successful NTCM and NPM to occur.
 
NotesNote that the create-unauth-sessions = yes setting only works in WebSEAL version 6.1.1.9 or later versions.
If consulting with IBM Support, reference "IBM PMR 40092,122,000" for more information.

Attachments

    Outcomes