000035813 - How to test RSA SecurID Access identity router (IDR) Secure Connector connectivity

Document created by RSA Customer Support Employee on Dec 9, 2017Last modified by RSA Customer Support Employee on Nov 12, 2019
Version 10Show Document
  • View in full screen mode

Article Content

Article Number000035813
Applies ToRSA Product Set:  SecurID Access
IssueConnectivity between the identity router (IDR) and its SecurID Access cloud tenant is being questioned.
ResolutionA helpful troubleshooting step is to try accessing the Secure Connector health.API URL either from a browser on the same subnet as the IDR proxy interface or directly from the IDR using the wget command.

The URL is of the form <tenant id>.auth.securid.com/secure-connector-fe/health.api where <tenant id> is the value initially set in the Administrator Console under My Account > Company Settings > Company Information tab > Company ID field.

The following is an example wget command from the IDR command line.  The --bind-address switch should specify the IDR's proxy IP address.  Connection OK is returned when successful.

See Access SSH for Identity Router Troubleshooting to access the IDR command line (Alternatively, SSH can be enabled on the IDR from its Setup page: Enable Emergency SSH):
[idradmin@idr.gs00.example.com ~]$ wget --no-check-certificate --bind-address <IDR Proxy IP> https://mycompany.auth.securid.com/secure-connector-fe/health.api 
--2019-01-09 21:58:28--  https://mycompany.auth.securid.com/secure-connector-fe/health.api 
Resolving mycompany.auth.securid.com... 
Connecting to mycompany.auth.securid.com||:443... connected. 
HTTP request sent, awaiting response... 200 
Length: 13 [text/plain] 
Saving to: `health.api.1' 
100%[==========================================================>] 13          --.-K/s   in 0s 

2019-01-09 21:58:30 (2.70 MB/s) - `health.api.1' saved [13/13] 

[idradmin@idr.gs00.example.com ~]$ more health.api
Connection OK
  1. Be sure to confirm that the infrastructure is:

  • Not blocking the IP associated with <tenant id>.auth.securid.com .
  • Is not filtering *.auth.securid.com or *.access.securid.com URLs.

  1. If a wget certificate WARNING indicates that the certificate was issued by a root CA other than Entrust Root Certification Authority - G2 and the IDR logs are showing the message javax.net.ssl.SSLException: Certificate not verified, then ensure that there are no transparent customer proxy devices between the IDRs and the RSA cloud components. 
  2. IDRs do not currently support proxies (transparent or not) that perform SSL termination. 
  3. If a non-transparent proxy is configured for the IDR to use then include -e use_proxy=yes -e https_proxy=<proxy hostname>:<proxy port> switches in the wget command.
  4. The auth part of the tenant hostname will be auth-eu for European-hosted tenants and auth-anz for APJ hosted tenants.
  5. An alternative to the wget test is to Disconnect an Identity Router and then Connect the Identity Router to the Cloud Administration Console. Disconnecting and re-connecting an IDR fully exercises the IDR  > cloud connection.