000011967 - RSA SecurID Authentication Agent for Apache: login page is looping

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011967
Applies ToRedhat (all revs & bit)
IssueRSA SecurID Authentication Agent for Apache: login page is looping
When running the real time authentication monitor, the user login attempt is successful, but upon hitting the continue key, the user is then redirected back to the Securid login page.
Cause

In this instance, the socket file logoffCookieSocket file, which is created and maintained by the RSA agent software, has been inadvertently removed.  This socket file must be present, and must be located in $APACHEHOME/rsawebagent.  The file is created on the first initial start of Apache after the agent software is installed.  It cannot be removed, moved, or otherwise modified.

Note: this is just one cause of this particular problem.  This can also be proxy or load balance related, as the rsa-local cookie must be present and maintained throughout the users session.  If the rsa-local cookie is stripped by a proxy or load balancer that is misconfigured, a user will also be redirected back to the login page.

Resolution

Before running this process, run ./config program from $APACHEHOME/rsawebagent directory and record your current settings!

1) stop apache

2) cd $APACHEHOME/rsawebagent

3) uninstall the agent by running ./uninstall

4) reinstall the agent

5) restart Apache - this will create the socket file again.

6) It is not necessary to redo the sdconf.rec or agent record on the server.

NOTE: it is not possible to manually recreate a logoffCookieSocket file.

Notes

A socket file is unique to UNIX, and is a special file used for inter-process communication. Socket files facilitate communication between two processes. In addition to sending data, processes can send file descriptors across a UNIX domain socket connection using the sendmsg() and recvmsg() system calls. Unlike named pipes, sockets are fully duplex-capable.  A socket file is defined by the "s" bit in the mode listing for a file, i.e.

root@badboy rsawebagent]# ls -al logoffCookieSocket
srwxrwxrwx 1 root root 0 Jan 30 14:03 logoffCookieSocket

Legacy Article IDa57229

Attachments

    Outcomes