000034979 - Failed to backup RSA Authentication Manager 8.x RADIUS audit log files

Document created by RSA Customer Support Employee on Mar 29, 2017Last modified by RSA Customer Support Employee on Jul 28, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034979
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
IssueFailed to complete a manual backup with error at Backing up RADIUS:

An error occurred whole backing up the system:  Failed to backup RADIUS.
Please call customer support.  For error details, check the Advanced Status View.

 
User-added image

The Advanced View shows the error below:
An error occurred whole backing up the system:

Failed to backup RADIUS
Please call customer support.  For erorr details check he Advanced View.


User-added image'
 

The /opt/rsa/am/server/logs/ops-console.log shows the following error:

@@@2017-03-12 22:46:08,283 ERROR [serviceExecutor-1] GUILog.traceThrowable(637) | error: 
com.rsa.ims.operationsconsole.admin.taskmgr.TaskExecutionException: Failed to perform a RADIUS backup.
at com.rsa.ims.operationsconsole.admin.backup.tasks.RadiusBackupTask.execute(RadiusBackupTask.java:100)
at com.rsa.ims.operationsconsole.admin.backup.tasks.RadiusBackupTask$$FastClassByCGLIB$$2b80a329.invoke(<generated>)
at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:149)
at org.springframework.aop.framework.Cglib2AopProxy$CglibMethodInvocation.invokeJoinpoint(Cglib2AopProxy.java:688)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.aop.aspectj.AspectJAfterThrowingAdvice.invoke(AspectJAfterThrowingAdvice.java:55)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:621)
at com.rsa.ims.operationsconsole.admin.backup.tasks.RadiusBackupTask$$EnhancerByCGLIB$$dc56e799.execute(<generated>)
at com.rsa.ims.operationsconsole.admin.backup.scheduler.service.AsyncBackupJobWorkerImpl.execute(AsyncBackupJobWorkerImpl.java:231)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.aop.interceptor.AsyncExecutionInterceptor$1.call(AsyncExecutionInterceptor.java:81)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:139)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:919)
at java.lang.Thread.run(Thread.java:680)
Caused by: com.rsa.ims.operationsconsole.admin.backup.exception.RadiusBackupException: Failed to backup RADIUS audit log files. IOException occurred.
at com.rsa.ims.operationsconsole.admin.backup.tasks.RadiusBackupTask.performRadiusAuditBackup(RadiusBackupTask.java:387)
at com.rsa.ims.operationsconsole.admin.backup.tasks.RadiusBackupTask.execute(RadiusBackupTask.java:92)
CauseThe audit log file ownership was root:rsaadmin on both the *.act and * log files in /opt/rsa/am/radius directory.
In this instance the RADIUS configuration in the radius.ini is different from a standard installed configuration file.  It may be an older RADIUS configuration inherited from the migrated system. For example, the customer has migrated from Authentication Manager 7.1.
It may be that the file owner and other configuration are being set incorrectly because the customer lacks the [AuditLog] section.
[AuditLog]
Enable = 1
LogfilePermissions      = rsaadmin:rsaadmin 600
;DaysToKeep             = 30    ;  1 or greater - Number of days to retain an audit-log file
Resolution
  1. Check if the file ownership is root:rsaadmin as below: 
-rw------- 1 root rsaadmin 1149840 Mar 13 09:44 /opt/rsa/am/radius/20170331.log

  1. Change the ownership of the radius file, as shown below: 
sudo chown rsaadmin:rsaadmin /opt/rsa/am/radius/*.act 
sudo chown rsaadmin:rsaadmin /opt/rsa/am/radius/*.log

  An example output of running ll or ls -l is similar to what is shown here: 

ll
-rw------- 1 rsaadmin rsaadmin  2261 Mar  1 00:00 /opt/rsa/am/radius/20170331.act
-rw------- 1 rsaadmin rsaadmin 48106 Mar  1 23:52 /opt/rsa/am/radius/20170331.log

  1. Be sure to include the [AuditLog] section header in square brackets and remember to restart RADIUS after modifying the config files.
/opt/rsa/am/server/rsaserv restart radius

  1. Alternatively, please securely copy the radius.ini file to /tmp on the RSA Authentication Manager primary instance.
  2. Open an SSH session and log in as rsaadmin.
  3. Type:
mv /opt/rsa/am/radius/radius.ini /opt/rsa/am/radius/radius_old.ini
cp /tmp/radius.ini /opt/rsa/am/radius/radius.ini

  1. Please change the permission of the RADIUS configuration file correctly, as shown below.
sudo chmod 644 /opt/rsa/am/radius/radius.ini

  1. Type the command below to verify the file ownership and permissions :
ll /opt/rsa/am/radius/radius.ini
-rw-r--r-- 1 rsaadmin rsaadmin 4168 Mar 16 10:22 /opt/rsa/am/radius/radius.ini

  1. Then attempt to run either Backup Now or a Scheduled Backup from the Operations Console. The backup should complete successfully.
NotesThe Advanced Status View may return an error:
Backing up RADIUS audit logs...
entry '/am.radius.logs.deleteAfterBackup/vista.log' closed at '0' before the '147852' bytes specified in the header were written
Failed to backup RADIUS audit log files. IOException occurred.


Running an ls -al on the file shows the owner is root:

-rw------- 1 root rsaadmin 36236 May  6 11:17 /opt/rsa/am/radius/vista.log

To resolve, correct the ownership of the /opt/rsa/am/radius/vista.log  to rsaadmin with the following command:
sudo chown rsaadmin:rsaadmin /opt/rsa/am/radius/vista.log
ls -al /opt/rsa/am/radius/vista.log
-rw------- 1 rsaadmin rsaadmin 36236 May 6 11:17 /opt/rsa/am/radius/vista.log

The backup should now complete correctly.

Outcomes