000025841 - How to configure RSA ClearTrust Agents with RSA SecurID as an authentication method

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025841
Applies ToRSA Cleartrust 5.5.x
IssueHow to configure RSA ClearTrust Agents with RSA SecurID as an authentication method
Unable to use RSA SecurID authentication method
23:31:09:844 [*] [MUX_Request_Thread_18] - TCPServerAPIAdaptor.authenticate ( {CREDENTIALS=*****, AUTHENTICATION_TYPE=SC_SECURID, SC_USER_ID=icashman}, {CLIENT_IP=10.100.48.66, CLIENT_PORT=59026} ) returning {AUTHENTICATION_RESULT=SECURID_auth_FAILED, RETURN_CODE=INVALID_USER}
23:59:31:831 [*] [MUX_Request_Thread_7] - The ACE client initialization was failed. Please check if the "aceclnt" library is available
CauseRSA ACE/Agent not installed
No documentation available in current install or admin guides
ResolutionOVERVIEW

Win32:

        - Install the ACE/Agent on the ClearTrust server
        - Configure the ClearTrust Agent
        - Configure a client definition for the ClearTrust server
        - Configure the ClearTrust IIS Agent to handle New PIN and Next Token mode

UNIX:

        - Install the ACE/Agent on the ClearTrust server
        - Configure the ClearTrust Agent
        - Configure a client definition for the ClearTrust server
        - Configure the ClearTrust IIS Agent to handle New PIN and Next Token mode


Win32 step 1:

- Install the ACE/Agent on the same server as the ClearTrust Authorization Server. NOTE: An ACE/Agent is needed for each Authorization Server in a redundant ClearTrust server environment

Win32 step 2:

- Configure a resource on the web server agent to require SecurID authentication
- Edit the webagent.conf found in:
          c:\<install>\<path>\IIS Agent\conf
- cleartrust.agent.auth_resource_list=?

e.g.:

cleartrust.agent.auth_resource_list=/one/*=SECURID,/two/*=BASIC:SECURID,/three/*=BASIC+SECURID

Win32 step 3:

- Configure the ClearTrust server just as you would any other RSA ACE/Agent.  See *NOTE below if the Cleartrust/AXM and ACE servers reside on different machines

UNIX step 1:

- Install the ACE/Agent on the same server as the ClearTrust Authorization Server. NOTE: An ACE/Agent is needed for each Authorization Server in a redundant ClearTrust server environment.

- By default the ClearTrust server looks in /var/ace for the sdconf.rec ; however, the ACE/Agent is typically installed into /opt/ace/. To resolve this issue link /var/ace to /opt/ace/data/ as shown below:

        # ln -s /opt/ace/data /var/ace

UNIX step 2:

- Configure a resource on the web server agent to require SecurID authentication

- Edit the webagent.conf which is found in:
          /opt/ctrust5/agent/apache/conf/
- cleartrust.agent.auth_resource_list=?

e.g.:

cleartrust.agent.auth_resource_list=/one/*=SECURID,/two/*=BASIC:SECURID,/three/*=BASIC+SECURID

UNIX step 3:

- Configure the ClearTrust server just as you would any other ACE/Agent


Troubleshooting:

- Get a feel for where the problem is (ClearTrust or ACE)
- If the ACE/Server is not seeing any traffic, this typically means the ACE/Agent is either not installed or is installed in the wrong place. Only the ClearTrust servers are the ACE Clients, not the ClearTrust Agents themselves. SecurID is not used to control access to a resource or particular agent; it is simply used as an authenticator and then if a successful auth is made the policy on the ClearTrust servers defines the access.
- Test the authentication with the agent. If that works, make sure that the ClearTrust auth server is handling the authentication correctly, this can be done by enabling debug on the ClearTrust auth server.

If you see a line in the debug that reads:

23:31:09:844 [*] [MUX_Request_Thread_18] - TCPServerAPIAdaptor.authenticate ( {CREDENTIALS=*****, AUTHENTICATION_TYPE=SC_SECURID, SC_USER_ID=icashman}, {CLIENT_IP=10.100.48.66, CLIENT_PORT=59026} ) returning {AUTHENTICATION_RESULT=SECURID_auth_FAILED, RETURN_CODE=INVALID_USER}

This shows that the ACE Client is working but the ACE/Server is rejecting the authentication.

If you see a line in the debug that reads:

23:59:31:831 [*] [MUX_Request_Thread_7] - The ACE client initialization was failed. Please check if the "aceclnt" library is available

This shows that the agent is unavailable. There are 2 solutions to this:

1. Windows: Ensure the correct ACE Client is installed - ClearTrust will not work with the ACE/Agent for Windows 2000

2. UNIX: Ensure a link exists for /var/ace - the /var/ace directory must contain the sdconf.rec file, and must be readable by the user that starts the servers (by default, this is user "ctrust")
Notes*NOTE: if the Cleartrust and ACE server reside on different machines, you will need to ftp the sdconf.rec file to the $CTHOME/conf directory of the AXM/Cleartrust server vs linking the sdconf.rec file
With Access Manager 6.x, the ACE java api client is included and no external agents are no longer needed 
Legacy Article IDa17898

Attachments

    Outcomes