|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.1, 8.2
RSA Product/Service Type: Authentication Manager Web Tier
O/S Version: Red Hat Enterprise Linux 5 (64-bit), 6 (64-bit), Microsoft Windows Server 2008 R2 (64-bit), Windows Server 2012 (64-bit) or Windows Server 2012 R2 (64-bit)
|Issue||The web tier server allows internet access to provision tokens through the Authentication Manager Self-Service Console (SSC). The web tier virtual host is an F5 Local Traffic Manager (LTM) with an internet-resolvable DNS name. The virtual host private key was exported with Java Keytool and imported into the F5 so that internet SSL connections can be terminated on the F5. The F5 uses three internal/DMZ IP addresses, referred to as secure network address translation, or SNAT addresses, in the source IP address of packets they forward to the web tiers. |
We noticed a success rate of less than 100%when logging into the SSC through the web tier from an F5 Internet connection. Failures all occur as soon as the user ID is entered. No time is given to enter the passcode. The browser reloads the /IMS-AA-IDP/InitialLogonDispatch.do page and prompts for the user to log in again. Sometimes it logs the user in, but the screen does not render completely. Sometimes it renders completely, but clicking a link and backing up throws the user back to the logon screen, displaying the Self-Service Console logon with the following error:
Your request cannot be processed at this time. It either has been processed or is a bad request. Return to home and try again.
The [wt_home]/server/logs/imsConsoleTrace.log on the web tier shows the following error:
|Tasks||The following tasks will need to be completed:|
|Resolution||To resolve this issue,|
Note that you will be able to see the addition in the Operations Console but will not be able to edit it.
|Notes||If a range of IPs is needed like for Cloudflare CDN, here is an example of adding subnets:|
This will add those subnets: