000035813 - How to test RSA SecurID Access IDR Secure Connector connectivity

Document created by RSA Customer Support Employee on Dec 9, 2017Last modified by RSA Customer Support Employee on Jun 4, 2018
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000035813
Applies ToRSA Product Set:  SecurID Access
IssueConnectivity between the IDR and its SecurID Access cloud tenant is being questioned.
ResolutionA helpful troubleshooting step is to try accessing the Secure Connector health.api URL either from a browser on the same subnet as the IDR proxy interface or directly from the IDR using the wget command.

The URL is of the form <tenant id>.auth.securid.com/secure-connector-fe/health.api where <tenant id> is the value initially set in the Administrator Console under My Account > Company Settings > Company Information tab Company ID field.

The following is an example wget command from the IDR command line.  The --bind-address switch should specify the IDR's proxy IP address.  If that switch is not used then the wget command will use the IDR management interface.  Connection OK is returned when successful.

See Access SSH for Identity Router Troubleshooting to access the IDR command line.

[idradmin@idr.gs00.example.com ~]$ wget --no-check-certificate --bind-address <IDR Proxy IP> https://gs00.auth.securid.com/secure-connector-fe/health.api
--2017-12-07 15:45:23--  https://gs00.auth.securid.com/secure-connector-fe/health.api

Resolving gs00.auth.securid.com...
Connecting to gs00.auth.securid.com|....|:443... connected.
WARNING: cannot verify gs00.auth.securid.com's certificate, issued by `/C=US/O=thawte, Inc./CN=thawte SSL CA - G2':
  Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response... 200 OK
Length: 13 [text/plain]
Saving to: `health.api'

100%[==========================================================>] 13          --.-K/s   in 0s

2017-12-07 15:45:24 (6.02 MB/s) - `health.api' saved [13/13]

[idradmin@idr.gs00.example.com ~]$ more health.api
Connection OK
  1. Be sure to confirm that customer's infrastructure is:

  • Not blocking the IP associated with <tenant id>.auth.securid.com ( in Americas, in Europe)
  • Is not filtering *.auth.securid.com or *.access.securid.com URLs

  1. If the wget certificate WARNING indicates that the certificate was issued by a CA other than "C=US/O=thawte, Inc./CN=thawte SSL CA - G2" and the IDR logs are showing "javax.net.ssl.SSLException: Certificate not verified" then ensure customer has performed Upload Certificates for Trusted Certificate Authorities for any proxy devices between the IDRs and the RSA cloud components.
  2. The auth part of the tenant hostname will be auth-eu for European-based customers and access.securid.com is access-eu for European-based customers.
  3. An alternative to the wget test is to Disconnect an Identity Router and then Connect the Identity Router to the Cloud Administration Console. Disconnecting and re-connecting an IDR fully exercises the IDR -> cloud connection.