000016606 - RSA Authentication Agent 7.x for Web for Apache on Red Hat 5 throws error 103: Response to New PIN Request took too long exception in New PIN Mode

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support on Mar 6, 2018
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000016606
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Web for Apache 
RSA Version/Condition: 7.x
Platform: Red Hat
O/S Version: 5

 
Issue
  • When an RSA SecurID token is in New PIN Mode and authentication is through the Authentication Agent 7.x for Web for Apache installed on Red Hat 5, the following error is seen:

103: Response to new PIN Request took too long' exception in New PIN Mode



  • While ./acetest from the command line does change a new users PIN correctly, when passing through the Apache web page for SecurID login, the following exception is thrown:

103: Response to the New PIN Request took too long. Please try again.



  • A user that already has a functioning PIN authenticates successfully.
CauseThe Apache bundle 2.2.3 that comes with Red Hat 5.1 is not supported with the RSA Authentication Agent 7.x for Web for Apache.  Per page 11 of the RSA Authentication Agent 7.x for Web Installation and Configuration Guide:

Hardware and Operating System Requirements:



The RSA Authentication Agent for Web for Apache is supported on Apache Web Server 2.2.4 and 2.2.6 on Red Hat Enterprise Linux 4.0, 5.0, and 5.1 AS/ES.
2.2.3 is not a supported web server for this agent.


Likewise, the RSA Authentication Agent 5.3 for Web for Apache is supported on 2.59, not 2.052.

The issue is caused by which compiling options were used when apache is compiled for rpm.  If the rpm is compiled with worker and prefork, or worker alone, this issue will occur.



The documentation will be modified to state that prefork only can be used.

Resolution
  1. For 100% compatibility, you MUST use a supported version source that is downloaded DIRECTLY FROM apache.org.  RSA cannot guarantee every pre-made rpm available for download on the internet contains an unmodified source tree or is compiled in a standard fashion.  Compiling Apache is very simple and very well documented from Apache.  The compile procedure has been the same since Apache.
  2. Download the source from apache.org.
  3. To use the latest current supported version for the RSA Authentication Agent 7.x for Web for Apache, pick up httpd-2.2.6.tar.gz.
  4. Place the bundle on the target system, gunzip and tar -xvf the bundle.
  5. Follow the Compiling and Installing directions from Apache , noting whatever prefix you select will be the Apache base installation directory.  You MUST use prefork when compiling, do not use worker
  6. Ensure that you follow the install guide, specifically:
    1. httpd.conf: AddDefaultCharset off
    2. Create the /var/ace directory


mkdir /var/ace


  • The default user apache runs under in httpd.conf is daemon:daemon, insure daemon:daemon can read and write to /var/ace.
  • Place the sdconf.rec in /var/ace (unzipped of course) with 755 permissions.

  1. To /etc/profile add:


VAR_ACE=/var/ace
export VAR_ACE


  1. Source /etc/profile and make sure you are exporting VAR_ACE as an environment variable.
  2. As directed by page 11 of the RSA Authentication Agent 7.x for Web Installation and Configuration Guide, ensure you are using these exact versions of libc and compat-libstdc

  • compat-glibc-7.x-2.2.4.32.6
  • compat-libstdc++-7.3-2.96.128

  1. The loopback line in /etc/host should be modified as follows:

127.0.0.1       localhost



  1. In /etc/hosts, confirm that what returns from the hostname command matches an entry in /etc/hosts that contains the IP address, short hostname and FQDN; for example:


[root@badgirl ~]# hostname
myhost.mydomain.com
[root@badgirl ~]# cat /etc/hosts | grep badgirl
192.168.131.228         myhost.mydomain.com myhost
[root@badgirl ~]#


  1. rpc MUST BE running:


[root@apache ~]# rpcinfo -p
program vers proto   port
100000    2   tcp    111  portmapper
100000    2   udp    111  portmapper
100024    1   udp    933  status
100024    1   tcp    936  status
300760    1   tcp  41347


  1. Install the RSA Authentication Agent 7.x for Web for Apache, ensuring to specify the PROPER PATH on which Apache is installed (see Notes below).
  2. Test the agent.
Notes* The startup script in /etc/init.d for apache, httpd, should be modified to point to the new httpd executable and the the directory used in the prefix variable during compile to insure startup occurs seamlessly at boot time:
"Apache versions mentioned here refer to distributions available on www.apache.org. Pre-packaged Apache modules available from other sources or vendors can result in incorrect behavior or missing functionality in the RSA Agent."
Legacy Article IDa51558

Attachments

    Outcomes