000011634 - APP 3.0 and AM 7.1 (Unix platforms only): Permissions on $RSAHOME/radius *.act files do not match system umask (022)  and are different between primary and replica

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011634
Applies ToSecurID Appliance 3.0
RSA Authentication Manager 7.1
IssueRadius accounting log files do not have correct permissions on Replica server on SecurID Appliance 3.0 and Authentication Manager 7.1 running on UNIX platforms and do not match system umask (022) and are different between primary and replica
Radius account file permissions do not match on Primary and Replica servers running on SecurID Appliance
Radius accounting files on a Primary AM server are generated with different permissions compared to replica servers. While the umask is the same on all machines (0022), a long listing of $RSAHOME/RSASecurity/RSAAuthenticationManager/radius/*.act files (path will always be /usr/local/RSASecurity/RSAAuthenticationManager/radius on APP 3.0) show:

Master -rw------- 1 root aceadmin
Replica -rw-r--r-- 1 root aceadmin
ResolutionThe generic system umask is not passed to these accounting log files.  It is instead controlled by $RSAHOME/radius/account.ini file.  Inside this configuration file, look for the parameter LogfilePermissions.

he default you will find will be:

[root@cs-appliance3-01 radius]# cat account.bak | grep -i logfile
;LogfilePermissions = owner:group mode ; UNIX only

This can be changed.  For example, if I want this to be owned by rsaadmin:rsaadmin with rights 644, you can uncomment it and change it to the following:

bash-3.00$ cat ../radius/account.ini | grep rsaadmin
LogfilePermissions = rsaadmin:rsaadmin 644

Please note, this will not take affect until either the current .act file rolls or the radius server is bounced. 
Legacy Article IDa50898

Attachments

    Outcomes