000035813 - How to test RSA SecurID Access identity router (IDR) Secure Connector connectivity

Document created by RSA Customer Support Employee on Dec 9, 2017Last modified by RSA Customer Support Employee on Mar 26, 2020
Version 11Show Document
  • View in full screen mode

Article Content

Article Number000035813
Applies ToRSA Product Set:  SecurID Access
IssueConnectivity between the identity router (IDR) and its SecurID Access cloud tenant is being questioned.
ResolutionA helpful troubleshooting step is to try accessing the Secure Connector health.API URL. Do this from a browser on the same subnet as the IDR proxy interface or directly from the IDR using the wget command.

The URL is of the form <tenant id>.auth.securid.com/secure-connector-fe/health.api, where <tenant id> is the value that is initially set in the Administrator Console under My Account > Company Settings > Company Information tab > Company ID field.

The following is an example wget command from the IDR command line. The --bind-address switch should specify the IDR's proxy IP address. Connection OK is returned when successful.

See Access SSH for Identity Router Troubleshooting to access the IDR command line (Alternatively, SSH can be enabled on the IDR from its Setup page: Enable Emergency SSH):
 
[idradmin@idr.gs00.example.com ~]$ wget --no-check-certificate --bind-address <IDR Proxy IP> https://mycompany.auth.securid.com/secure-connector-fe/health.api 
--2019-01-09 21:58:28--  https://mycompany.auth.securid.com/secure-connector-fe/health.api 
Resolving mycompany.auth.securid.com... 191.237.22.167 
Connecting to mycompany.auth.securid.com|191.237.22.167|:443... connected. 
HTTP request sent, awaiting response... 200 
Length: 13 [text/plain] 
Saving to: `health.api.1' 
100%[==========================================================>] 13          --.-K/s   in 0s 

2019-01-09 21:58:30 (2.70 MB/s) - `health.api.1' saved [13/13] 

[idradmin@idr.gs00.example.com ~]$ more health.api
Connection OK

 


The above wget command checks HTTPS (and also TCP and IP level) connectivity, from the identity router to the Current Cloud IP address only. The Cloud Authentication Service Connection IP addresses for each identity router are listed on the identity router's status page in the Cloud Administration Console.

To check connectivity to any of the Alternate Cloud IP addresses listed on the identity router's status page, use the following command instead of wget:



openssl s_client -connect <alternate-cloud-ip-address>:443



If a connection to any Current or Alternate Cloud IP connection is failing, check the TLS connection handshake by adding the -state parameter as follows:



openssl s_client -connect <cloud-ip-address>:443 -state



Cloud Authentication Service IP addresses intentionally do not respond to ICMP ECHO, so it is not possible to get a response if you ping a Cloud IP. Contact RSA Support for further troubleshooting assistance if required.
Notes
  1. Be sure to confirm that the infrastructure is:

  • Not blocking the IP associated with <tenant id>.auth.securid.com.
  • Is not filtering *.auth.securid.com or *.access.securid.com URLs.

  1. If a wget certificate WARNING indicates that the certificate was issued by a root CA other than Entrust Root Certification Authority - G2 and the IDR logs are showing the message javax.net.ssl.SSLException: Certificate not verified, then ensure that there are no transparent customer proxy devices between the IDRs and the RSA cloud components. 
  2. If a non-transparent proxy is configured for the IDR to use, then include -e use_proxy=yes -e https_proxy=<proxy hostname>:<proxy port> switches in the wget command.
  3. The auth part of the tenant hostname is auth-eu for European-hosted tenants and auth-anz for APJ hosted tenants.
  4. An alternative to the wget test is to Disconnect an Identity Router and then Connect the Identity Router to the Cloud Administration Console. Disconnecting and reconnecting an IDR fully exercises the IDR  > cloud connection. If a proxy has been introduced between the IDR and the Cloud, then this step is required to recover the connection.

Attachments

    Outcomes