000012830 - 'AM 7.1- Replica Radius Configuration fails with a Internal System Error'

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012830
Applies ToAuthentication Manager 7.1 Service Pack 2  to Service Pack 4 (SP2, SP3, SP4) On all supported platforms
RSA SecurID Appliance 3.0.x.0 to 3.0.4.x
IssueConfigure Authentication Manager 7.1 Replica Radius Server
Replica Radius Configuration failure

The configureRadiusTrace.log found in the RSA_HOME/install/logs/config directory, where RSA_HOME  is the RSA installation path. (For example: C:\Program Files\RSA Security\RSA Authentication Manager\  for Windows and /usr/local/RSASecurity/RSAAuthenticationManager for RSA Appliance) The following exception is seen:

19 Apr 17:00:56.840 INFO - Command Output Property Keys (registerRadiusWithAM): {}
19 Apr 17:00:57.766 ERROR - Failed configuration command execution
com.rsa.installfwrk.config.exception.ConfigurationException: Failed configuration command execution
at com.rsa.installfwrk.config.ConfigEngine.execute(ConfigEngine.java:223)
at com.rsa.installfwrk.config.ConfigUtil.runConfig(ConfigUtil.java:53)
at com.rsa.installfwrk.config.ConfigUtil.main(ConfigUtil.java:35)
Caused by: com.rsa.installfwrk.common.command.exception.CommandException: RemoteCommand: Unable to initialize IMSCommandProxy
at com.rsa.installfwrk.common.command.RemoteCommandBase.handleCommandProxyException(RemoteCommandBase.java:95)
at com.rsa.installfwrk.common.command.RemoteCommandBase.initCommandProxy(RemoteCommandBase.java:89)
at com.rsa.installfwrk.common.command.RemoteCommandBase.execute(RemoteCommandBase.java:46)
at com.rsa.installfwrk.config.ConfigEngine.execute(ConfigEngine.java:185)
... 2 more
Caused by: com.rsa.installfwrk.common.command.exception.CommandException: Failed to build remote CommandProxy
at com.rsa.installfwrk.common.command.RemoteCommandBase.buildCommandProxy(RemoteCommandBase.java:122)
at com.rsa.installfwrk.common.command.RemoteCommandBase.initCommandProxy(RemoteCommandBase.java:82)
... 4 more
Caused by: java.security.PrivilegedActionException: javax.naming.NamingException: Failed to get connection [Root exception is com.rsa.common.SystemException: Failed to construct CommandTarget]
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:373)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.security.Security.runAs(Security.java:61)
at com.rsa.command.WebLogicSecurityContextWrapper.runAs(WebLogicSecurityContextWrapper.java:52)
at com.rsa.installfwrk.common.command.RemoteCommandBase.buildCommandProxy(RemoteCommandBase.java:115)
... 5 more
Caused by: javax.naming.NamingException: Failed to get connection [Root exception is com.rsa.common.SystemException: Failed to construct CommandTarget]
at com.rsa.tools.common.IMSCommandProxy.<init>(IMSCommandProxy.java:114)
at com.rsa.installfwrk.common.command.RemoteCommandBase$1.run(RemoteCommandBase.java:118)
at com.rsa.installfwrk.common.command.RemoteCommandBase$1.run(RemoteCommandBase.java:117)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
... 9 more
Caused by: com.rsa.common.SystemException: Failed to construct CommandTarget
at com.rsa.command.ConnectionFactory.getConnection(ConnectionFactory.java:265)
at com.rsa.tools.common.IMSCommandProxy.<init>(IMSCommandProxy.java:111)
... 12 more
Caused by: javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3s://servername.domain.com:7002: Destination unreachable; nested exception is:
javax.net.ssl.SSLKeyException: [Security:090542]Certificate chain received from servername.domain.com- xxx.xxx.xxx.xxx was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.; No available router to destination]
at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:40)
at weblogic.jndi.WLInitialContextFactoryDelegate.toNamingException(WLInitialContextFactoryDelegate.java:773)
at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:363)
at weblogic.jndi.Environment.getContext(Environment.java:307)
at weblogic.jndi.Environment.getContext(Environment.java:277)
at weblogic.jndi.Environment.createInitialContext(Environment.java:200)
at weblogic.jndi.Environment.getInitialContext(Environment.java:184)
at weblogic.jndi.Environment.getInitialContext(Environment.java:162)
at com.rsa.command.WebLogicInitialContextFactory.getInitialContext(WebLogicInitialContextFactory.java:154)
at com.rsa.command.EJBRemoteTarget$LookupHome.run(EJBRemoteTarget.java:342)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.security.Security.runAs(Security.java:61)
at com.rsa.command.WebLogicSecurityContextWrapper.runAs(WebLogicSecurityContextWrapper.java:52)
at com.rsa.command.EJBRemoteTarget.initHome(EJBRemoteTarget.java:302)
at com.rsa.command.EJBRemoteTarget.<init>(EJBRemoteTarget.java:231)
at com.rsa.command.ConnectionFactory.getConnection(ConnectionFactory.java:262)

CauseThe failure is caused because the Primary Authentication Mangaer 7.1.x has customer certificates. The default RSA Self-signed certificates have been changed and the new certifacates are not trusted  on the Replica Authentication Manager 7.1.x server.
Resolution

To Resolve the issue, import and Trust the CA Root Certificate from the Primary Authentication Manager 7.1.x server on the Replica Instance.

1. Copy the CA Root Certificate of Primary instance to the Replica Instance.

2. Import and trust the CA Root Certificate of the Primary instance on the Replica instance. Follow these steps to import the CA Root Certificate on the Replica:

  a. Change to the RSA_HOME/utils directory and run:
       rsautil manage-ssl-certificate --import --trustcacerts --alias <CA_CERT_ALIAS> --cert-file <CA_CERT_FILE_PATH> --keystore <JDK_KEYSTORE_PATH>

Where

  <CA_CERT_ALIAS> is the Alias name specified when the CA Root certificate was created.
  <CA_CERT_PATH> is the Path where the CA root certificate, including the file name.

  <JDK_KEYSTORE_PATH> is the path to the JDK CA Keystore file (CACERTS). Example: RSA_HOME/appserver/jdk/lib/security/cacerts

  b. Enter the storepass. The default storepass is: changeit
  c. When prompted to trust the certificate, confir Y and hit enter.

3. Configure the Replica Radius Server:

  a. Logon to the operations Console of the Replica instance.
  b. From the top menu select Deployment Configuration/Radius/Configure Server  (You will be promoted for the SuperAdmin Credentials)
  c. Fill out the information requested and click on Configure Server

 

 

Legacy Article IDa57972

Attachments

    Outcomes