000035701 - The RSA Authentication Manager 8.x RSA RADIUS Server Operations Console Service Stops with a FAILED State.

Document created by RSA Customer Support Employee on Dec 1, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035701
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.1
Platform: Linux
O/S Version: SUSE Enterprise 11 SP3
 
IssueThe RSA RADIUS Server Operations Console FAILED on a replica instance.
The /opt/rsa/am/server/logs/radiusoc.log on the replica instance reports the following:

####<Nov 1, 2017 9:09:00 PM MDT> <Info> <Management> <app82r> <> <Thread-11> <> <> <> <1509592140062> <BEA-141298> <Could not register with the Administration Server: java.rmi.RemoteException: [Deployer:149150]An IOException occurred while reading the input.; nested exception is:
        javax.net.ssl.SSLKeyException: Hostname verification failed: HostnameVerifier=weblogic.security.utils.SSLWLSHostnameVerifier, hostname=app82r.rsa.net.>
####<Nov 1, 2017 9:09:01 PM MDT> <Warning> <Security> <app82r> <> <Thread-10> <> <> <> <1509592141809> <BEA-090504> <Certificate chain received from app82r.rsa.net - 192.168.107.48 failed hostname verification check. Certificate contained app82p.rsa.net but check expected app82r.rsa.net>

 
CauseThe console certificate used by the replica instance did not have the correct Common Name in the certificate hence the failed hostname validation check.
WorkaroundRSA Authentication Manager instances will not allow an administrator to activate a new console certificate while RSA Authentication Manager services are in a FAILED or SHUTDOWN state. The hostname validation check stops the RSA Authentication Manager services from starting, however, the hostname validation check can be disabled until the problem is fixed with a replacement console certificate with the correct Common Name for the authentication manager instance.
Steps
  1. Logon to the authentication manager instance with the rsaadmin account.
  2. Change the account privileges with the command : sudo su -
  3. Navigate to the /opt/rsa/am/server/wrapper using the command : cd /opt/rsa/am/server/wrapper
  4. Take copies of four configuration files AdminServerWrapper.conf, BiztierServerWrapper.conf, ConsoleServerWrapper.conf & RadiusOCServerWrapper.conf as we are about to make changes to these files e.g. cp AdminServerWrapper.conf AdminServerWrapper.conf.ORIG
  5. Check the existing value for the "-Dweblogic.security.SSL.ignoreHostnameVerification" parameter in the four configuration files AdminServerWrapper.conf, BiztierServerWrapper.conf, ConsoleServerWrapper.conf & RadiusOCServerWrapper.confwith the command : cat *.conf | grep ignore
Example:

rsaadmin@app82p:/opt/rsa/am/server/wrapper> cat *.conf | grep ignore
wrapper.java.additional.8=-Dweblogic.security.SSL.ignoreHostnameVerification=false
wrapper.java.additional.47=-Dwrapper.ignore.component.failure=true
wrapper.java.additional.8=-Dweblogic.security.SSL.ignoreHostnameVerification=false
wrapper.java.additional.8=-Dweblogic.security.SSL.ignoreHostnameVerification=false
wrapper.java.additional.7=-Dweblogic.security.SSL.ignoreHostnameVerification=false
rsaadmin@app82p:/opt/rsa/am/server/wrapper>


  1. Change the "-Dweblogic.security.SSL.ignoreHostnameVerification" parameter from false to true in the four configuration files using a command like : sed -i 's/ignoreHostnameVerification=false/ignoreHostnameVerification=true/g' AdminServerWrapper.conf
NOTE: do not forget to make the change to all four files : AdminServerWrapper.conf, BiztierServerWrapper.conf, ConsoleServerWrapper.conf & RadiusOCServerWrapper.conf

  1. Check the "-Dweblogic.security.SSL.ignoreHostnameVerification" parameter has been changed successfully using the command : cat *.conf | grep ignore
Example:

rsaadmin@app82p:/opt/rsa/am/server/wrapper> cat *.conf | grep ignore
wrapper.java.additional.8=-Dweblogic.security.SSL.ignoreHostnameVerification=true
wrapper.java.additional.47=-Dwrapper.ignore.component.failure=true
wrapper.java.additional.8=-Dweblogic.security.SSL.ignoreHostnameVerification=true
wrapper.java.additional.8=-Dweblogic.security.SSL.ignoreHostnameVerification=true
wrapper.java.additional.7=-Dweblogic.security.SSL.ignoreHostnameVerification=true
rsaadmin@app82p:/opt/rsa/am/server/wrapper>


  1. Restart the RSA Authentication Manager Services using the command : /opt/rsa/am/server/rsaserv restart all
  2. If not already done so, replace the console certificate (generate a Certificate Signing Request, submit the CSR to a CA, and request an SSL server certificate, import the SSL server certificate and active the new SSL console certificate) where the Common Name (CN) matches the fully-qualified hostname of the authentication manager instance.
  3. Stop the RSA Authentication Manager server using the command : /opt/rsa/am/server/rsaserv stop all
  4. Revert the changes in the four configuration files where the "-Dweblogic.security.SSL.ignoreHostnameVerification" parameter is false e.g. sed -i 's/ignoreHostnameVerification=true/ignoreHostnameVerification=false/g' AdminServerWrapper.conf
  5. Start the RSA Authentication Manager Services using the command : /opt/rsa/am/server/rsaserv start all

Attachments

    Outcomes