000030617 - Users are unable to authenticate after installing the patch 8.1 SP 1 or 8.1 P 6

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030617
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0
IssueUsers are unable to authenticate after the Authentication Manager server was upgraded to 8.1 SP 1 or 8.1 P 6.
The patch installed successfully, however, all the users are unable to authenticate after the upgrade was complete.
Administrators are able to log on to security console and operations console.
Self-service authentication is not affected. All the authentications to RSA protected resources are affected.
CauseThis is likely a licensing issue. There was an issue with Test/Evaluation license distribution somewhere between July 18 - August 28, 2014. RSA has determined that these Test/Evaluation license had an incorrect license template. As a result, this license template will not activate the full feature set of the RSA Authentication Manager 8.1 and can cause run-time errors when certain administrative actions have been executed. This problem has since been corrected and an email was sent to all the customers requesting to replace these licenses. If these license are not replaced, AM 8.1 SP 1 and 8.1 Patch 6 installation is able to detect these licenses and flag them and expire them instantly. Once the Authentication Manager detects the expired licenses, the authentication port UDP 5500, TCP 5580 etc are stopped. As a result, all authentications are ignored by RSA Authentication Manager server.
There are 2 things that you can check to make sure if this is the case.
1. In the security console, click on Setup --> Licenses --> Status
You will probably see Enterprise License with 100000 users, 100000 RBA/ODA license which LSR distributes to customer as part of trial license.
2. Login in to appliance OS using rsaadmin account and run the following command
netstat -an | grep 5500
You will probably see that UDP 5500 port is not enabled. You will, however, see TCP 5500 port on Listen mode though. TCP 5500 is used by Next-Gen Authentication Agents
This will also happen if the Trial/Evaluation license is expired. Trial licenses normally expire in 90 days.
ResolutionRequest your proper production license from LSR or RSA securcare online. Replace the RSA trial license with your valid production license and restart the services.
You can restart the services by logging in to the backend OS using rsaadmin account and running the following commands
cd /opt/rsa/am/server
./rsaserv restart
Once the service is restarted, the authentication should start working. You can verify this by running netstat command
netstat -an | grep 5500
You should see that UDP port 5500 is now open for communication.

How to Request a Authentication Manager License?
To obtain an Test / Evaluation or a Production License and have an active SecurCare Maintenance Agreement, please go to RSA SecurCare On-Line at https://knowledge.rsasecurity.com/scolcms/sets.aspx?product=auth_manager.  Navigate and click on the Version Upgrade tab, click on RSA Authentication Manager and follow the directions to the RSA Authentication Manager Software License Page.  Either select Test / Upgrade License or Production License and you will be directed to the RSA Download Central site.  
You may request up to three Evaluation licenses per SecurID server license. Each Evaluation license is active for 90 days, starting when the license is made available for download from the RSA Download Central website
If you are a new customer and are still in the evaluation phase, you must request another Evaluation License, please contact your RSA Sales Representative. If you are a new customer and are ready to purchase a new license, please contact your RSA Sales Representative
WorkaroundThere is no workaround for this issue, you will need to have a proper license to use RSA Authentication Manager in production environment. It may take up to 24 hours to request a license via SCOL. If the license was already requested but never replaced, you can download your license from donwload.rsasecurity.com