|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Agent API for C or Java
RSA Version/Condition: 8.5 or later, 8.6, includes RSA Authentication Agent 8.0 for Web configured for TCP authentication
This article is relevant to authentication to RSA Authentication Manager server using TCP port 5500, not UDP 5500.
Any attempt to authenticate or communicate with the Authentication Manager server fails in the agent log.
When authentication is initiated from RSA Authentication Agent API 8.5 or later, the ACEInitialize program reads the sdconf.rec to:
|Cause||TCP-based agent authentication is based on the agent certificate, which can be viewed in the Security Console under Setup > System. The image on the left is for Agents. To see the IPv6 settings click the link labeled "To configure agents using IPv6, click here."|
Scroll down to the bottom of the IPv4/IPv6 Agent page to view the Existing Certificate Details.
If you restore a backup from another Authentication Manager 8.x server, you will import a different Agent Certificate, which will not be recognized by the Authentication Manager API 8.5 Agent.
Even if the two servers in this example were both Quick Setup with same name and IP, unless they are VM clones they do not have the same agent certificate.
|Resolution||There are two possible solutions to this situation:|
The RSA Authentication Manager API 8.5 files are located in /var/ace by default, or configured in the rsa_api.properties file
|Workaround||Restore an original backup that was taken on this original RSA Authentication Manager server, not from another RSA Authentication Manager server.|