|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Agent API for C or Java
RSA Version/Condition: 8.5 or later, 8.6, includes Web agent 8.0 configured for TCP authentication
Product Description: Authentication to AM server TCP port 5500, not older UDP 5500
|Issue||Any attempt to authenticate or communicate with the AM server fails in the agent log.|
error SignatureVerifier.cpp 247 The certificate verification failed
When Agent API v. 8.5 or later authentication is initiated, the ACEInitialize program reads the sdconf.rec to;
|Cause||TCP based agent authentication is based on the agent certificate, which can be viewed in the Security Console – Setup – System. On left is Agents. Click the IPv6 settings where it says ‘here’ in really tiny letters at the top left.|
Scroll down to the bottom of the IPv4/IPv6 Agent page to view the Existing Certificate Details.
If you restore a backup from another AM 8.x Server, you will import a different Agent Certificate, which will not be recognized by the AM API 8.5 Agent.
NOTE: Even if the 2 servers in this example were both Quick Setup with same name and IP, unless they are VM clones they do not have the same agent Cert.
|Resolution||There are two possible solutions to this situation:|
1. Import the original agent Certificate back into the IPv4/IPv6 page
2. Generate and Download a new sdconf.rec file, delete the agent files including bootstrap.xml & root.cer, and place this new sdconf.rec file on the agent and try to authenticate again
Agent API 8.5 files are located in /var/ace by default, or configured in the rsa_api.properties file
|Workaround||Restore an original backup that was taken on this original AM server, not from another AM Server.|
|Notes||Original case involved partner implementation with Fox Technologies BoKS ServerControl 7.0, which uses the TCP based agent API in order to support IPv6|
You can optionally view the certificate inside of an sdconf.rec with NotePad++, it is a Root CA Cert
There are other Knowledge Base articles on Link that show how to extract Certificate information and create a .cer Certificate file