000035550 - Error message "can't connect to ace server" with the RSA Apache Web Agent 8.0

Document created by RSA Customer Support Employee on Oct 14, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035550
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Web
RSA Version/Condition: 8.0 for Apache Web Server
Platform: Linux
O/S Version: RHEL
IssueWhen running acestatus, the error below is reported:

Error can't connect to ACE/Server

Also when running acetest, the error below is seen:

AceInitialize failed
CauseApache web agent works in two modes: UDP (default) and TCP.  In TCP mode the hostname of the machine is set as the name of the agent entry in Security Console. These must be exact and the same as in rsa_api.properties.
  1.  Set the environment variable USEUDP_ENV_VAR to be false.

    export USEUDP_ENV_VAR=false

  2. Get the proper hostname of the machine:

    hostnamectl status

    Note: Static, pretty and transient must be the same. If they need to be changed here is the syntax:

    # hostnamectl set-hostname "Your Host Name Here"
    # hostnamectl set-hostname "Your Host Name Here" --pretty
    # hostnamectl set-hostname "Your Host Name Here" --static
    # hostnamectl set-hostname "Your Host Name Here" --transient

  3. Set that name properly in rsa_api.properties along with the following other settings:

    # Name of the agent. The same needs to be configured in AM. Default value is the Hostname of the machine
    RSA_AGENT_NAME = <hostname of the Linux server>
    # Path of the AM configuration file.
    # For Windows
    # SDCONF_LOC = C:\RSA_AuthSDK\sdconf.rec
    # For Non-Windows
    SDCONF_LOC = /var/ace/sdconf.rec
    # Folder location where "config.xml", "bootstrap.xml" and "root.cer" will be created.
    # For Windows
    # For Non-Windows
    RSA_CONFIG_DATA_LOC = /var/ace/

    Note 1: The RSA_AGENT_NAME must be here exactly as written on the Security Console
    Note 2: RSA_CONFIG_DATA_LOC is the location of the files needed for TCP and it will be inside a directory with the name of the agent set above.
  4. Start the Apache server using the command below.

    httpd -k start

  • With UDP there is no use for the Config location nor the rsa_api.properties file. UDP agent entries in AM Security Console usually resolve to the hostname.
  • The node secret file (securid) is only utilized in the UDP mode.
  • UDP is the default method of communication used and more information can be found in the Apache Agent Guide.
  • TCP was not utilized until Apache agent 8.0 and above, which uses Agent API ver. 8.5 and above.  TCP agent entries in Security Console usually must resolve to the agent name configured in rsa_api.properties.  You can create a single agent entry in Security Console for multiple (1000s) of TCP agents providing all agents have the same agent name configured in their rsa_api.properties file.