000019033 - How to use name locking with RSA ACE/Agent 5.0 API

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000019033
Applies ToRSA ACE/Agent 5.0 API
UNIX (AIX, HP-UX, Solaris)
Microsoft Windows NT 4.0
Microsoft Windows 2000
SD_LOCK
IssueHow to use name locking with RSA ACE/Agent 5.0 API
The sync2.c example code provided with RSA ACE/Agent 5.0 API is used to demonstrate name locking and Server fail over. The example is put into a continuous loop broken only by an error condition, which then results in SD_Close being called. When a name lock is established the user gets ACCESS DENIED even though there are available ACE/Server Replicas to authenticate against. The next authentication works correctly.
CauseWhen the SD_Lock function is called from the API, the Agent will use a status file to see which servers are available for authentication. Once it has chosen a server from this list it sends out a name lock to prevent any other server in the ACE/Server domain from authenticating this user. However, if the chosen server is down SD_Lock will return a status of ACM_ACCESS_DENIED.
ResolutionThe server status information used by RSA ACE/Agent 5.0 is not updated until the API handle is closed. For the API to perform a successful name lock on a live server, an SD_Close and SD_Init need to be performed to allow SD_Lock to find a new server.

The status file created is %SystemRoot%\System32\sdstatus.12 on Windows NT/2000 systems and $VAR_ACE/sdstatus.12 on UNIX systems. The following is an example of how a name lock can be establish to a valid server using the sync2.c example program:

        int acmRet = 0;  // ACM return status
        
        //...

         acmRet = SD_Lock(SdiHandle, username);
              if (acmRet != ACM_OK)
               {
                // The name lock failed. The chosen Server must be down.
                // Now to update this information to status.12 file
                // and continue with the authentication.

                // First close the API handle.
                SD_Close(SdiHandle);
                
                // Now re-open the handle for a new session.
                acmRet = SD_Init(&SdiHandle);
                   if (acmRet != ACM_OK)
                   {
                               printf("Cannot communicate with the ACE/Server.\n");
                               return 1;
                   }

                // As this is a new session the SD_Lock function will do a new search
                // for available servers, updating the status file and ensuring no other
                // down'ed servers are chosen.
                // If this SD_Lock fails then there are no available ACE/Servers!

                   acmRet = SD_Lock(SdiHandle, username);
                       if (acmRet != ACM_OK)
                       {
                           printf("Access denied. Unable to locate a valid ACE/Server.\n");
                           return 1;
                       }

       }  
Legacy Article IDa5496

Attachments

    Outcomes

      Visibility: RSA SecurID Access Knowledge Base1564 Views
      Last modified on Apr 21, 2017 11:07 PM
      Tags:
      Ratings: