RSA® Authentication Manager 8.2 Service Pack 1 Known Issues

Document created by RSA Information Design and Development on Apr 12, 2017Last modified by RSA Information Design and Development on Jun 13, 2017
Version 3Show Document
  • View in full screen mode

This document describes known issues in RSA Authentication Manager 8.2 Service Pack 1 (SP1). If a workaround or fix is available, it is noted or referenced in detail. Many of the workarounds require administrative privileges. If you do not have the required privileges, contact your administrator.

Authentication (REST-based RSA SecurID Authentication API)

The minLength and maxLength properties are not returned for SECURID and SECURID_NEXT_TOKENCODE methods

Tracking Number: AM-30791

Problem: When a user attempts authentication with the SECURID or SECURID_NEXT_TOKENCODE methods, the RSA SecurID Authentication API does not return the minLength and maxLength properties. Other methods, such as SECURID_NEWPIN and SECURID_SYSTEM_GENERATED_PIN, return numbers.

Workaround: For SECURID and SECURID_NEXT_TOKENCODE, the server should return a minimum length of 4 and a maximum length of 16.

Date and time when an authentication attempt expires shows the local time and an offset for UTC time

Tracking Number: AM-30797

Problem: The attemptExpires value, which is the date and time when a REST-based authentication attempt will expire, shows the local time for the Authentication Manager instance together with a time zone offset for UTC time. The time zone offset is expressed in hours and minutes, with +hh.mm indicating that the server is ahead of UTC time and -hh.mm indicating that the server is behind UTC time.

Workaround: By design, the Authentication API bases the attemptExpires value upon https://www.w3.org/TR/NOTE-datetime, which defines a profile for ISO-8601, the International Standard for representing dates and times.

Certain REST-based authentication failures are not logged to the Authentication Activity Monitor

Tracking Number: AM-30864

Problem: If you build and deploy authentication agents that use the Authentication API, the following authentication failures are not logged in the Authentication Activity Monitor:

  • Authentication fails because an incorrect challenge method name is given.
  • Authentication fails because an invalid collected input name is given.

Workaround: Configure the imsTrace.log file to display “Errors.” Do the following:

  1. In the Security Console, select Setup > System Settings.
  2. Click Logging.
  3. Select an instance, and click Next.
  4. From the Trace Log drop-down list, select Error.
  5. Click Save.

After an error occurs, you can use SSH to log on to the appliance operating system. View the details in the imsTrace.log file in the /opt/rsa/am/server/logs directory.

Backup and Restore

Restoring a backup to a new deployment requires an additional procedure for the web tier

Tracking Number: AM-30099

Problem: If you restore an RSA Authentication Manager backup to a new deployment, the web tier cannot be reinstalled. Generating the web-tier deployment package results in a web-tier host certificate failure.

Workaround: Before you generate the web-tier deployment package, you must disable and re-enable the virtual host:

  1. To disable the virtual host, in the Operations Console, click Deployment Configuration > Virtual Host & Load Balancing, clear the Configure a virtual host and load balancers check box, and click Save.
  2. To enable the virtual host, see “Configure a Load Balancer and Virtual Host” on RSA Link: https://community.rsa.com/docs/DOC-77114.
  3. You can then generate the web-tier deployment package. For instructions, see “Add a Web-Tier Deployment Record” on RSA Link: https://community.rsa.com/docs/DOC-77345.

Restored certificates cannot be activated after restoring a backup to a new deployment

Tracking Number: AM-30103

Problem: After you restore a backup to a new deployment, the restored certificates cannot be activated. The restored certificates were issued with the hostname of the original Authentication Manager instance.

Workaround: Either create new certificates or continue to use the certificates that were present on the Authentication Manager instance before the backup was restored. For instructions, see “Console Certificate” on RSA Link: https://community.rsa.com/docs/DOC-77021.

Local backup fails after planned promotion of a replica instance.

Tracking Number: AM-30364

Problem: After promoting a replica instance to primary, attempting to make a local backup from the new primary fails, triggering the message “An error occurred while backing up the system: Failed to backup the system files.”

Workaround:

  1. Log on to the appliance using an SSH client.
  2. Change directories:

    cd /opt/rsa/am/utils

  3. Type the following, then press ENTER to update TLS 1.2 Mode properties:

    /rsautil store -a enable_min_protocol_tlsv1_2 <setting> restart

    Where <setting> is true if you want to enforce strict TLS 1.2 Mode, or false if you do not.

Documentation

Forward and back arrow buttons do not work when you open Help topics through a direct link

Tracking Number: AM-30700

Problem: After you open a Help topic through the Help on this page menu, the forward and back arrow buttons do not work. If you click Help > All Help Topics, you can use these buttons to display Help topics in the order listed in the Contents frame.

Workaround: After opening a topic through the Help on this page menu, you can search for additional topics or select additional topics through the Contents frame. Selecting a second Help topic enables the forward and back arrow buttons.

The “Delete a Replica Instance” topic is missing from the Help

Tracking Number: AM-30793

Problem: In the "About the Operations Console" topic, the Related Tasks link displays "am_t_Delete_Replica_Instance." Clicking this link results in "Error 404 - Not Found."

Workaround: The “Delete a Replica Instance” topic is missing from the Help in the consoles. This topic is available on RSA Link: https://community.rsa.com/docs/DOC-77468 .

The Agent Integration Script page in the Security Console contains three broken Help links

Tracking Number: AM-30942

Problem: On the Agent Integration Script page, clicking the links in the Help on this page menu results in “Error 404 - Not Found.”

Workaround: Click Help > All Help Topics. The agent topics are located in the Authentication Agents book.

In addition, all Authentication Manager Help topics are available on RSA Link:

The “Configure a Timeout Setting for Authentication Requests” topic includes an incomplete command

Tracking Number: AM-30987

Problem: You can change how long RSA Authentication Manager waits for a response for the identity routers in an RSA SecurID Access trusted realm. Running the command provided in the Authentication Manager “Configure a Timeout Setting for Authentication Requests” topic results in an error message.

Workaround: The command must include “update_config” and “GLOBAL.” Run the following command:

./rsautil store -a update_config ims.trust.via.read_timeout number GLOBAL

where number is the new timeout value in milliseconds. For example, type 45000 to change the timeout value to 45 seconds.

The corrected topic is available on RSA Link: https://community.rsa.com/docs/DOC-77227.

Firewall

Restrict port 7050 for read-only database users to prevent OpenSSL denial of service vulnerabilities

Tracking Number: AM-30811

Problem: Adding read-only database users opens port 7050, which accepts packets from any IP address.

Workaround: To prevent the OpenSSL denial of service vulnerabilities described in https://www.openssl.org/news/secadv/20160922.txt, you must configure the appliance internal firewall to open port 7050 only for the IP addresses that are specified for read-only database users. Do the following:

  1. Log on to the appliance using an SSH client.
  2. Enter the following command:

    sudo su-

  3. Change directories:

    cd /opt/rsa/am/utils/bin/appliance

  4. Type the following, and then press ENTER:

    ./configureFirewall.sh close postgres inet,tcp,7050

  5. Enter the following command, and then press ENTER:

    ./configureFirewall.sh open-4ip postgres inet,tcp,7050, IP Address

    Where IP Address is the IP address through which read-only database users remotely connect to the database.

  6. Repeat step 5 for each IP address that requires database access.

Appliance internal firewall lists port 7050 as open for a deleted read-only database user’s IP address

Tracking Number: AM-30909

Problem: After you delete a read-only database user, port 7050 is listed as open for the deleted user’s IP address. The deleted user cannot connect with the deleted User ID. Port 7050 can accept packets from the IP address, but no credentials exist to complete the connection.

Workaround: Close port 7050 for the deleted user’s IP address. Deploy the appliance in a subnet that also has an external firewall to segregate it from the rest of the network.

Appliance internal firewall creates more than one ACCEPT rule and DROP rule for the same IP address

Tracking Number: AM-30911

Problem: The appliance has an internal firewall creates an ACCEPT rule and a DROP rule for each user’s IP address in the Authentication Manager internal database. When more than one user has the same IP address, the firewall creates multiple ACCEPT and DROP rules.

Workaround: No additional actions are necessary. The duplicate rules are successfully applied.

Promotion for Maintenance

After promoting a replica instance to primary, attempting to promote the former primary instance back to primary status fails.

Tracking Number: AM-30394, AM-30564

Problem: Promoting a replica instance to primary succeeds, but subsequent attempts to promote the former primary instance back to primary status fail, triggering the message “Promotion was unsuccessful. Unable to extract logs from original primary.”

Workaround:

  1. Log on to the appliance using an SSH client.
  2. Change directories:

    cd /opt/rsa/am/utils

  3. Type the following, then press ENTER to update TLS 1.2 Mode properties:

    /rsautil store -a enable_min_protocol_tlsv1_2 <setting> restart

  4. Where <setting> is true if you want to enforce strict TLS 1.2 Mode, or false if you do not.

No information displayed on the primary instance Progress Monitor during a promotion for maintenance

Tracking Number: AM-30839

Problem: If you log onto the Operation Console for the replica instance and promote the replica instance, and then log onto the Operation Console for the current primary instance during the promotion, the primary instance Progress Monitor does not show any information.

Workaround: Log back or remain logged onto the Operation Console of the replica instance during the promotion to view the Progress Monitor information. When the promotion is complete, the Operation Console confirms the promotion to a primary instance with next steps.

Only the administrator running the pre-promotion check on a replica instance can see the status

Tracking Number: AM-30849

Problem: Before promoting a replica instance, you must run the pre-promotion check. Another administrator cannot view the status or results of this task in the Progress Monitor.

Workaround: This functionality is intentional. The pre-promotion check allows the administrator who is promoting the replica instance to identify and correct any issues. When the promotion for maintenance begins, any administrator can view the Progress Monitor on the replica instance that is being promoted.

RSA RADIUS

Cannot create IPv4 addresses for IPv6 RADIUS clients after removing IPv6 network settings

Tracking Number: AM-29485

Problem: If you disable IPv6 network settings in the Operations Console, you cannot update existing IPv6 RADIUS clients to use IPv4 addresses.

Workaround: Re-enable IPv6 network settings, update the IPv6 RADIUS clients to use IPv4 addresses, and then disable the IPv6 network settings again. Delete any IPv6 RADIUS clients that are no longer needed.

Authentication Manager does not track which IPv6 RADIUS Clients are sending authentication requests

Tracking Number: AM-29509

Problem: If the <ANY> client is not selected, Authentication Manager should track which IPv6 RADIUS clients are sending authentication requests. Instead, authentication requests using the shared secret specified for the <ANY> client are processed regardless of the originating client’s IPv6 address.

Workaround: This feature works for IPv4 RADIUS clients. This issue is being resolved in a future RSA Authentication Manager 8.2 patch.

RSA SecurID Authenticate Tokencodes

Bulk Administration 1.6.0 (AMBA) utility does not support RSA SecurID Authenticate Tokencodes

Tracking Number: AM-30858

Problem: The RSA Authentication Manager 8.2 Service Pack 1 Bulk Administration 1.6.0 (AMBA) utility does not support the RSA SecurID Authenticate app. For example, you cannot use the unassign or replace token commands for RSA SecurID Authenticate Tokencodes.

Workaround: Use the Security Console to manage Authenticate Tokencodes. For more information, see the Authentication Manager Help topic “RSA SecurID Authenticate Tokencodes.”

No entries for the RSA SecurID Authenticate app on the SecurID Token Statistics page

Tracking Number: AM-30915

Problem: On the SecurID Token statistics page, no information is displayed for the RSA SecurID Authenticate app.

Workaround: All custom reports that display RSA SecurID hardware and software tokens include the RSA SecurID Authenticate app, except for the “Token Expiration Report.” For more information, see “Reports” on RSA Link: https://community.rsa.com/docs/DOC-77230.

RSA Token Management Snap-in (MMC)

RSA Token Management snap-in for Active Directory does not allow administrators to edit certain properties for undistributed software tokens

Tracking Number: AM-30916

Problem: The RSA Token Management snap-in for Active Directory does not allow administrators to edit the Notes field or choose whether to require a PIN for software tokens that have not yet been distributed.

You can change other Authentication Settings, such as clearing an existing PIN, requiring a PIN change on the next logon, and disabling the token.

Workaround: Do one of the following:

  • Distribute the software tokens. After the tokens are distributed, you can edit these fields with the RSA Token Management snap-in.
  • Use the Security Console to manage all tokens.

Upgrading

Do not promote a version 8.2 replica instance if there is a version 8.2 SP1 primary instance

Tracking Number: AM-29322

Problem: After the primary instance has been upgraded to RSA Authentication Manager 8.2 SP1, promoting a version 8.2 replica instance for disaster recovery creates a second primary instance. The same issue occurs if you upgrade a primary instance from version 8.1 SP1 to version 8.2 and then promote a version 8.1 SP1 replica instance.

Workaround: If the Authentication Manager upgrade does not succeed, you must restore from a backup file, a VMware snapshot, or a Hyper-V checkpoint. Always upgrade the primary instance before upgrading the replica instances in your version 8.1 SP1 deployment.

Web-Tier Installer License Agreement screen includes clickable links that do not open external websites

Tracking Number: AM-30162

Problem: The Web-Tier Installer includes a License Agreement screen that allows you to click the links for external websites. The links redirect you to the top of the license agreement.

Workaround: To visit the external websites, copy each link from the License Agreement screen, and paste it into a browser.

Hardened RSA Authentication Manager 8.2 machine without a Network Time Protocol (NTP) server not restarting after an upgrade

Tracking Number: AM-30172

Problem: If an RSA Authentication Manager 8.2 machine that was hardened with the ADG Security Control file does not have access to an NTP server, it will not restart after a successful upgrade to RSA Authentication Manager 8.2 SP1. The same issue can occur after upgrading a hardened version 8.1 SP1 machine to version 8.2.

Workaround: Before upgrading a hardened machine, select an NTP server as a time source. Go to Administration > Date & Time, and follow the instructions in “Update System Date and Time Settings” on RSA Link: https://community.rsa.com/docs/DOC-76927.

Updating the web tier on Linux creates empty rsa-install folders in the /tmp directory

Tracking Number: AM-30868

Problem: After installing the version 8.2 SP1 web tier on Linux, any updates, such as adding a custom logo, causes the /tmp directory to have empty folders with the prefix “rsa-install.”

Workaround: In the /tmp directory, delete the empty rsa-install folders.

Miscellaneous

The first Quick Setup task on a Hyper-V virtual appliance displays a later start time than the second task

Tracking Number: AM-28393

Problem: If you select a Network Time Protocol (NTP) server for RSA Authentication Manager that the Hyper-V host machine does not use, the first Quick Setup task might display a later start time than the second Quick Setup task.

Workaround: This time display issue does not affect deployment or RSA SecurID authentication.

VMware virtual appliance does not include a DVD/CD drive

Tracking Number: AM-28663

Problem: The VMware virtual appliance does not include a DVD/CD drive for applying updates.

Workaround: Use the VMware vSphere Client to shut down the virtual machine and add a DVD/CD drive. For more information, see the Help topic “VMware DVD/CD or ISO Image Mounting Guidelines” on RSA Link at https://community.rsa.com/docs/DOC-77220.

In addition, you can apply Authentication Manager updates through your local browser, or you can scan for stored updates in an NFS share or a Windows shared folder.

Operations Console shows intermittent replication failure on the primary instance

Tracking Number: AM-30373

Problem: The Operations Console displays intermittent reports that replication has failed on the primary instance. Actual replication of data between instances works properly, but the replication status error interferes with all Authentication Manager functions that rely on a system health check.

Workaround: Modify objects (such as users or tokens) using the Security Console, or perform authentication to trigger replication and reset the replication status indicator.

Generating System Log Report fails when downloading troubleshooting logs from Operations Console.

Tracking Number: AM-30375

Problem: When downloading troubleshooting files from the Operations Console, the Generating System Log Report task fails in cases where the System Log Report file size is too large. The rest of the troubleshooting files generate successfully, but system log data is not included.

Workaround: Clear the System Log Report checkbox to omit system log data from the report, or reduce the number of reporting days when downloading troubleshooting files. You can generate the System Log Report separately from the Reporting tab in the Security Console.

 

 


Attachments

    Outcomes