000016606 - RH Apache Web Agent - error '103: Response to new PIN Request took too long' exception in new pin mode

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016606
Applies ToRedHat 5.1
Authentication Manager Web Agent for Apache 7.X and Authentication Manager Web Agent for Apache 5.3
 Leveraging the bundled apache web server shipped with RH 5.1, Apache 2.2.3, or with 2.052 shipped with RH 4
IssueRH Apache Web Agent - error '103: Response to new PIN Request took too long' exception in new pin mode
While ./acetest from the command line does change a new users pin correctly, when passing through Apache web page for securid login, the following exception is thrown:

103: Response to the New PIN Request took too long. Please try again.

A user that already has a functioning pin works



Response to new PIN Request took too long
Cause

The apache bundle 2.2.3 that comes with RH 5.1 is not supported.  Per the installation guide for the 7.X agent, ref page 11:

Hardware and Operating System Requirements:
The Web Agent is supported on Apache Web Server 2.2.4 and 2.2.6 on Red Hat Enterprise Linux 4.0, 5.0, and 5.1 AS/ES.
2.2.3 is not a supported web server for this agent.

Likewise, the apache agent for 5.3 is supported on 2.59, not 2.052.

The issue is caused by which compiling options were used when apache is compiled for rpm.  If the rpm is compiled with worker and prefork, or worker alone, this issue will occur.

The documentation will be modified to state that prefork only can be used.

Resolution

1) For 100% compatibility, you MUST use a supported version source be downloaded DIRECTLY FROM apache.org.  RSA cannot guarentee every pre-made rpm available for download on the internet contains an unmodified source tree, or is compiled in a standard fashion.  Compiling apache is very simple and very well  documented from apache.  The compile procedure has been the same since 1.3 apache.

2) dowload the source from apache.org

3) To use the latest current supported version for the 7.X agent, pick up httpd-2.2.6.tar.gz

4) place the bundle on the target system, gunzip and tar -xvf the bundle

5) Compile per directions from apache.org, noting whatever prefix you select will be the apache base installation directory

http://httpd.apache.org/docs/2.0/install.html

You MUST use prefork when compiling, do not use worker.

6) INSURE to follow the install guide, specifically:

a) httpd.conf: AddDefaultCharset off
 
b) create /var/ace directory
    -mkdir /var/ace
    -the default user apache runs under in httpd.conf is daemon:daemon, insure daemon:daemon can read and write to /var/ace
    -placed sdconf.rec in /var/ace (unzipped of course) with 755 permissions
  
c) to /etc/profile add:
           VAR_ACE=/var/ace
           export VAR_ACE

d) source /etc/profile and make sure you are exporting VAR_ACE as an environment variable

e) As dictated by the install guide, pg 11, insure you are using these exact versions of libc and compat-libstdc

compat-glibc-7.x-2.2.4.32.6
compat-libstdc++-7.3-2.96.128

f) the loopback line in /etc/host should be modified to

127.0.0.1       localhost

as well, in the /etc/hosts file, you must insure that what returns from the hostname command matches an entry in /etc/hosts that contains the ip, short hostname and fqdn, for example:

[root@badgirl ~]# hostname
myhost.mydomain.com
[root@badgirl ~]# cat /etc/hosts | grep badgirl
192.168.131.228         myhost.mydomain.com myhost
[root@badgirl ~]#


      


g) rpc MUST BE running

[root@apache ~]# rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp    933  status
    100024    1   tcp    936  status
    300760    1   tcp  41347

7) install the agent 7.1, INSURING to specify the PROPER PATH that apache is installed*

8)  Test the agent

*see note

Notes* The startup script in /etc/init.d for apache, httpd, should be modified to point to the new httpd executable and the the directory used in the prefix variable during compile to insure startup occurs seamlessly at boot time.
Please reference:

http://www.emc.com/security/rsa-securid/rsa-authentication-agents/apache-7-1.htm

Where RSA states:

"Apache versions mentioned here refer to distributions available on www.apache.org. Pre-packaged Apache modules available from other sources or vendors can result in incorrect behavior or missing functionality in the RSA Agent."

add case and contact info to AAAPC-409
Legacy Article IDa51558

Attachments

    Outcomes