| Article Number | 000035849 |
| Applies To | RSA Product Set: SecurID Access |
| Issue | After configuring the Identity Router as a SecurID Agent the Administration Console Platform->Authentication Manager->Test Connection is unsuccessful. After collecting the identity router log bundle errors similar to below are seen in /var/log/symplified/symplified.log:
2017-12-12/17:10:08.538/UTC [sidProxyScheduler-1] FATAL com.rsa.authagent.authapi.v8.logger.b[?] - {validateSignCertwithRootCert} ConfigResponse Signing Cert Validation failed Certificate verify failed!
2017-12-12/17:10:08.539/UTC [sidProxyScheduler-1] FATAL com.rsa.authagent.authapi.v8.logger.b[?] - {validateConfigResponse} ConfigResponse signing cert validation and verification failed: com.rsa.authagent.authapi.AuthAgentException: Signature Certificate Verification Failed:Certificate verify failed!
2017-12-12/17:10:08.539/UTC [sidProxyScheduler-1] FATAL com.rsa.authagent.authapi.v8.logger.b[?] - {handleConfigUpdate} ConfigurationResponse(Init) - Response validation & verification failed
2017-12-12/17:10:08.539/UTC [sidProxyScheduler-1] ERROR com.rsa.authagent.authapi.v8.logger.b[?] - Exception processing configuration data Exception processing configuration data Invalid config response from the server: Response validation & verification failed!
2017-12-12/17:10:08.539/UTC [sidProxyScheduler-1] ERROR com.rsa.nga.sidproxy.SidAuthentication[263] - Failed to verify session factory
com.rsa.authagent.authapi.AuthAgentException: com.rsa.authagent.authapi.AuthAgentException: Exception processing configuration data Exception processing configuration data Invalid config response from the server: Response validation & verification failed!
at com.rsa.authagent.authapi.AuthSessionFactory.a(AuthSessionFactory.java)
|
| Cause | The AM root certificate published to the Identity Router is no longer being used by AM for secure agent communications. This can occur due to certain AM database restore scenarios. |
| Resolution | Update the AM agent communications root certificate and then publish a new sdconf.rec file to the Identity Router (note that instructions to retrieve the root certificate vary by browser type, these instructions are for Chrome):
- Browse to https://<YOUR_AUTH_MANAGER>:7002 (ignore the 404 error)
- Click on the three vertical dots in upper right and choose More tools->Developer tools
- In the tools window click the Security tab and then from Security Overview click "View certificate".
- In the Certificate popup, click the Certification Path tab and the top level root certificate
- Click the Details tab and then the "Copy to File" button.
- Follow the wizard to save a DER encoded certificate to a file
- Now in the AM Security Console go to Setup->System Settings->Agents
- Click on "To configure agents using IPV6, click here"
- In the Existing Certificate Details section click Choose File and select the just exported AM root certificate file and then Update.
- Now browse to Access->Authentication Agents->Generate Configuration File and generate and download a new AM_Config.zip file.
- Unzip the AM_Config.zip to extract the new sdconf.rec file.
- Upload the new sdconf.rec file via the SID Access Administration Console Platform->Authentication Manager->Connection Settings menu and Save.
- Publish Changes
The Test Connection should be successful following the Publish. |
| Notes | There are also Linux command line tools such as openssl and wget that can be used as an alternative to a browser for retrieving a site's SSL certificates. |
on Dec 15, 2017