000034031 - Authentication Agent API ver. 8.5 later, fails with certificate verification failed and ConfigResponse is not valid

Document created by RSA Customer Support Employee on Sep 22, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034031
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent API for C or Java
RSA Version/Condition: 8.5 or later, 8.6, includes Web agent 8.0 configured for TCP authentication 
Platform: Linux
Product Description: Authentication to AM server TCP port 5500, not older UDP 5500
IssueAny attempt to authenticate or communicate with the AM server fails in the agent log.
error SignatureVerifier.cpp 247 The certificate verification failed
error AgentConfigHandler.cpp 135 ConfigResponse is not valid

When Agent API v. 8.5 or later authentication is initiated, the ACEInitialize program reads the sdconf.rec to;
  1. Create bootstrap.xml & root.cer based on what is in sdconf.rec
  2. Verify the Certificate
  3. Negotiate to exchange message Keys
This failure indicates a problem with reading the Certificates used, so no message keys can be exchanged for encrypted communication and the authentication process goes no further.
Cert validation failed
CauseTCP based agent authentication is based on the agent certificate, which can be viewed in the Security Console – Setup – System.  On left is Agents. Click the IPv6 settings where it says ‘here’ in really tiny letters at the top left.
Scroll down to the bottom of the IPv4/IPv6 Agent page to view the Existing Certificate Details.
If you restore a backup from another AM 8.x Server, you will import a different Agent Certificate, which will not be recognized by the AM API 8.5 Agent.
NOTE: Even if the 2 servers in this example were both Quick Setup with same name and IP, unless they are VM clones they do not have the same agent Cert.
ResolutionThere are two possible solutions to this situation:
1. Import the original agent Certificate back into the IPv4/IPv6 page
2. Generate and Download a new sdconf.rec file, delete the agent files including bootstrap.xml & root.cer, and place this new sdconf.rec file on the agent and try to authenticate again
Agent API 8.5 files are located in /var/ace by default, or configured in the rsa_api.properties file
WorkaroundRestore an original backup that was taken on this original AM server, not from another AM Server.
NotesOriginal case involved partner implementation with Fox Technologies BoKS ServerControl 7.0, which uses the TCP based agent API in order to support IPv6
You can optionally view the certificate inside of an sdconf.rec with NotePad++, it is 
a Root CA Cert
There are other Knowledge Base articles on Link that show how to extract Certificate information and create a .cer Certificate file