000034259 - RSA Authentication Agent 7.1 for PAM for AIX acetest program fails to authenticate a username

Document created by RSA Customer Support Employee on Nov 30, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034259
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for PAM
RSA Version/Condition: 7.1
IssueThe acetest program included with the PAM agent reports the following error when installed on IBM AIX:

Unexpected error from ACE/Agent API 

The real-time authentication activity monitor reports the following error when authentications are sent to an Authentication Manager server:

Node secret mismatch: cleared on agent but not on server

CauseThe RSA Authentication Agent for PAM for AIX are 32-bit binaries and the PAM agent has been installed onto a 64-bit IBM AIX server where another third-party product is using 64-bit binaries and acting as another authentication agent. The node secret was created by the third-party product and the PAM agent is unable to read the node secret.
ResolutionThe third-party product on the IBM AIX server and RSA Authentication Agent for PAM for IBM AIX must use different folders to store the SecurID configuration files. A conversion utility provided with the PAM agent called ns_conv_util can be used to convert the node secret file (securid) created by the third-party product which allows the PAM agent to read the converted node secret.
NOTE: The default location of the SecurID configuration files used by the PAM agent is /var/ace, but this can be changed by editing the /etc/sd_pam.conf file.
For information on the usage of ns_conv_util, please refer to pages 18 and 19 of the RSA Authentication Agent 7.1 for PAM Installation and Configuration Guide for AIX.
NotesThe SecurID configuration files are:
  • The sdconf.rec (configuration record generated from the Security Console),
  • The securid (node secret) normally created during the first authentication attempt from the agent to the Authentication Manager server(s),
  • The sdstatus.12 created by the PAM agent that lists servers in the deplyment and which are responding fastest, and
  • The sdopts.rec which allows for an IP address to be specified that is used to communicate with the Authentication Manager deployment server(s).