000035849 - RSA SecurID Access Authentication Manager Test Connection Fails

Document created by RSA Customer Support Employee on Dec 15, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035849
Applies ToRSA Product Set:  SecurID Access
IssueAfter configuring the Identity Router as a SecurID Agent the Administration Console Platform->Authentication Manager->Test Connection is unsuccessful.  After collecting the identity router log bundle errors similar to below are seen in /var/log/symplified/symplified.log:

2017-12-12/17:10:08.538/UTC [sidProxyScheduler-1] FATAL com.rsa.authagent.authapi.v8.logger.b[?] - {validateSignCertwithRootCert} ConfigResponse Signing Cert Validation failed Certificate verify failed!
2017-12-12/17:10:08.539/UTC [sidProxyScheduler-1] FATAL com.rsa.authagent.authapi.v8.logger.b[?] - {validateConfigResponse} ConfigResponse signing cert validation and verification failed: com.rsa.authagent.authapi.AuthAgentException: Signature Certificate Verification Failed:Certificate verify failed!
2017-12-12/17:10:08.539/UTC [sidProxyScheduler-1] FATAL com.rsa.authagent.authapi.v8.logger.b[?] - {handleConfigUpdate} ConfigurationResponse(Init) - Response validation & verification failed
2017-12-12/17:10:08.539/UTC [sidProxyScheduler-1] ERROR com.rsa.authagent.authapi.v8.logger.b[?] - Exception processing configuration data Exception processing configuration data Invalid config response from the server: Response validation & verification failed!
2017-12-12/17:10:08.539/UTC [sidProxyScheduler-1] ERROR com.rsa.nga.sidproxy.SidAuthentication[263] - Failed to verify session factory
com.rsa.authagent.authapi.AuthAgentException: com.rsa.authagent.authapi.AuthAgentException: Exception processing configuration data Exception processing configuration data Invalid config response from the server: Response validation & verification failed!
at com.rsa.authagent.authapi.AuthSessionFactory.a(AuthSessionFactory.java)

CauseThe AM root certificate published to the Identity Router is no longer being used by AM for secure agent communications. This can occur due to certain AM database restore scenarios.
ResolutionUpdate the AM agent communications root certificate and then publish a new sdconf.rec file to the Identity Router (note that instructions to retrieve the root certificate vary by browser type, these instructions are for Chrome):
  1. Browse to https://<YOUR_AUTH_MANAGER>:7002 (ignore the 404 error)
  2. Click on the three vertical dots in upper right and choose More tools->Developer tools
  3. In the tools window click the Security tab and then from Security Overview click "View certificate".
  4. In the Certificate popup, click the Certification Path tab and the top level root certificate
  5. Click the Details tab and then the "Copy to File" button.
  6. Follow the wizard to save a DER encoded certificate to a file
  7. Now in the AM Security Console go to Setup->System Settings->Agents
  8. Click on "To configure agents using IPV6, click here"
  9. In the Existing Certificate Details section click Choose File and select the just exported AM root certificate file and then Update.
  10. Now browse to Access->Authentication Agents->Generate Configuration File and generate and download a new AM_Config.zip file.
  11. Unzip the AM_Config.zip to extract the new sdconf.rec file.
  12. Upload the new sdconf.rec file via the SID Access Administration Console Platform->Authentication Manager->Connection Settings menu and Save.
  13. Publish Changes
The Test Connection should be successful following the Publish.
NotesThere are also Linux command line tools such as openssl and wget that can be used as an alternative to a browser for retrieving a site's SSL certificates.