000029654 - Authentication Manager 8.1 RADIUS unreachable or initiating data transfer after changing IP address of the replica server

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029654
Applies ToRSA Product Set: SecurID
RSA Product/Service Type:  Authentication Manager 
RSA Version/Condition: 8.1
 
IssueAfter successfully changing the IP address of the replica server on Authentication Manager  8.1, the RADIUS replication is broken.The replica RADIUS server is "unreachable" or "Initiating data transfer". Clicking "Initiate Replication" changes the status to "Initiating data transfer" for a long time.  After refreshing the page. the status again becomes "unreachable."
CauseAfter changing IP address of the replica server, the replica.ccmpkg does not recognize the new IP address and retains the old one.
Navigate to the /opt/rsa/am/radius directory and open replica.ccmpkg file, you will find the IP_ADDRESS value is the old IP address rather than the new one.  A sample is below:
 
<ccmChunk length = "117" type = "text/xml"/>
<documents><document name = 'managed' type = 'monolith'><source base = 'documents'></source></document></documents>
<ccmChunk length = "244" type = "text/xml"/>
<managed>
<ccm address = '<old_IP_address' encryptedSecret = '{fsw} 1,eee7eb5fec97b8b34dfc3c6cefe99b96527d4086eb4acd4957ce74d11d49d2cfb1f81351d54e63ab27f1e756bd8460d9'
id = 'am81p.vcloud.local' port = '1812' url = '/ccm-update'>
</ccm>
</managed>

If you run the sbrsetuptool script on the primary then on the replica, the issue will be solved for sometime, but after restarting the services or rebooting, the replica.ccmpkg will hold the old IP address.
ResolutionTo resolve the issue, run the sbrsetuptool on the primary Authentication Manager server:
  1. Login to the Authentication Manager primary server via SSH, vSphere or direct connection.
  2. Navigate to /opt/rsa/am/server.
  3. Stop the RADIUS service with the command ./rsaserv stop radius.
  4. Navigate to /opt/rsa/am/utils.
  5. Obtain the RADIUS secret with the command ./rsautil manage-secrets -a listall.  Look for the value of the com.rsa.radius.replication.secret.
  6. Navigate to /opt/rsa/am/radius.
  7. Run the command ./sbrsetuptool -identity PRIMARY -secret <value of the com.rsa.radius.replication.secret>
  8. Navigate to /opt/rsa/am/server.
  9. Start the RADIUS service with the command ./rsaserv start radius.
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter OS user password>
Last login: Wed Oct  7 16:30:21 2015 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am81p:~> cd /opt/rsa/am/server
rsaadmin@am81p:~> ./rsaserv stop radius
Stopping RSA RADIUS Server: **
RSA RADIUS Server                                          [SHUTDOWN]
rsaadmin@am81p:/opt/rsa/am/server> cd ../utils
rsaadmin@am81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a listall
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>
com.rsa.radius.replication.secret .....................: rhVmupDx0J
saadmin@am81p:/opt/rsa/am/utils> cd ../radius
rsaadmin@am81p:/opt/rsa/am/radius> ./sbrsetuptool -identity PRIMARY -secret rhVmupDx0J
rsaadmin@am81p:/opt/rsa/am/radius> cd ../server
rsaadmin@am81p:/opt/rsa/am/server> ./rsaserv start radius
Starting RSA Administration Server with Operations Console:  
RSA Database Server                                        [RUNNING]
Starting RSA Database Server:
RSA Administration Server with Operations Console          [RUNNING]
Starting RSA RADIUS Server Operations Console:
RSA RADIUS Server Operations Console                       [RUNNING]
Starting RSA Runtime Server: *
RSA Runtime Server                                         [RUNNING]
Starting RSA RADIUS Server: *
RSA RADIUS Server                                          [RUNNING]
rsaadmin@am81p:/opt/rsa/am/server>

Next reconfigure RADIUS on the replica server(s).

  1. Login to the Authentication Manager replica server via SSH, vSphere or direct connection.
  2. Navigate to /opt/rsa/am/server.
  3. Stop the RADIUS service with the command ./rsaserv stop radius.
  4. Navigate to /opt/rsa/am/config.
  5. Run the command ./config.sh RadiusOCConfig.configure.  
  6. Navigate to /opt/rsa/am/server.
  7. Start the RADIUS service with the command ./rsaserv start radius.
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter OS user password>
Last login: Wed Oct  7 17:25:01 2015 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am81r:~> cd /opt/rsa/am/server
rsaadmin@am81r:~> ./rsaserv stop radius
Stopping RSA RADIUS Server: **
RSA RADIUS Server                                          [SHUTDOWN]
rsaadmin@am81r:/opt/rsa/am/server> cd ../config
rsaadmin@am81r:/opt/rsa/am/config> ./config.sh RadiusOCConfig.configure
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>
saadmin@am81r:/opt/rsa/am/config> cd ../server
rsaadmin@am81r:/opt/rsa/am/server> ./rsaserv start radius
Starting RSA Administration Server with Operations Console: 
RSA Database Server                                        [RUNNING]
Starting RSA Database Server:
RSA Administration Server with Operations Console          [RUNNING]
Starting RSA RADIUS Server Operations Console:
RSA RADIUS Server Operations Console                       [RUNNING]
Starting RSA Runtime Server: *
RSA Runtime Server                                         [RUNNING]
Starting RSA RADIUS Server: *
RSA RADIUS Server                                          [RUNNING]
rsaadmin@am81r:/opt/rsa/am/server>



 Now launch the Security Console from the primary server.  Choose RADIUS > RADIUS Server and click Initiate Replication.  When done, the replication status should show as Synchronized.

Attachments

    Outcomes