000035913 - Testing TCP ports on RSA Authentication Manager 8.x instances

Document created by RSA Customer Support Employee on Jan 17, 2018Last modified by RSA Customer Support Employee on Jan 17, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035913
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  RSA Authentication Manager
RSA Version/Condition:  8.1 SP1 or later
Platform: Linux
IssueAn administrator has a requirement to check the presence of TCP ports on Authentication Manager instances in a deployment in case a firewall or other device is blocking communication between the primary and replica instance(s).
ResolutionThis knowledge article provides a Linux shell script which can be executed on any Authentication Manager instance in a deployment to check the presence of TCP ports; for example, replication ports 7002 TCP, 1812 TCP, 1813 TCP.
The Linux shell script must be executed with root privileges and requires the Operations Console username and password to read the Authentication Manager hostnames stored in the Authentication Manager database. The Linux shell script will use the Authentication Manager hostnames to perform name resolution via configured domain name server(s) and check for the presence of TCP ports on these Authentication Manager instances.

Installation


  1. Download and copy the attached commcheck.sh shell script into the /tmp folder on an Authentication Manager instance in the deployment.  Review the following article on how to enable Secure Shell on the Appliance, if needed.  Where SSH has been enabled, a secure FTP client, such as WinSCP can be used to copy the shell script into the /tmp folder.
  2. Change the permissions of the commcheck.sh so it can be executed at the command line:

chmod 755 /tmp/commcheck.sh

Usage


  1. Logon to the Authentication Manger instance with the rsaadmin account, either in an SSH session or at the local console.
  2. Change the privileges of the rsaadmin account using the command:

sudo su -

Note that if you do not change the privileges of the rsaadmin account the following message appears:

You must be the root user to use this program; exiting...


  1. Navigate to the /tmp folder using the command:

cd /tmp

  1. The shell script can be executed in one of two ways, as Operations Console user credentials are required.  Note that in  the first example the Operations Console admin password will be displayed in clear text, while in option two it is masked.

cd /tmp
./commcheck.sh <Operations Console admin name> <Operations Console admin password>

Checking OC credentails..
OC credentials validated... redirecting to menu..

or


cd /tmp
./commcheck.sh

Checking OC credentials....missing OC credentials!
Please enter OC Administrator username: <Operations Console admin name>
Please enter OC Administrator password: <Operations Console admin password>

OC credentials validated... redirecting to menu..

  1. The shell script menu displays:

RSA Customer Support (Asia Pacific)
Communications Check - AM TCP ports
1) Display Authentication Manager Hostnames
2) Perform Communications Check
3) Generate a Report
9) Exit
Please select an option


Display Authentication Manager Hostnames


Option 1 will read the Authentication Manager hostnames from the Authentication Manager database and displays them on the screen.
For example:

RSA Customer Support (Asia Pacific)
Communications Check - AM TCP ports
1) Display Authentication Manager Hostnames
2) Perform Communications Check
3) Generate a Report
9) Exit
Please select an option
1
Retrieving hostnames of AM instances..
Primary is app82p.csau.ap.rsa.net with IP address 192.168.31.51
Replica is app82r.csau.ap.rsa.net with IP address 192.168.31.52
Done!
Press any key to continue...


Perform Communications Check


Option 2 uses the Authentication Manager hostnames to perform a name lookup using DNS and then checks for the presence of the TCP ports.  For example:

RSA Customer Support (Asia Pacific)
Communications Check - AM TCP ports
1) Display Authentication Manager Hostnames
2) Perform Communications Check
3) Generate a Report
9) Exit
Please select an option
2
Communications Check..
Name Resolution
Server:         192.168.31.20
Address:        192.168.31.20#53
Name:   app82p.csau.ap.rsa.net
Address: 192.168.31.51
TCP Port Checks
Authentication port
-------------------
app82p.csau.ap.rsa.net authn port 5500 success
Replication ports
-----------------
app82p.csau.ap.rsa.net replication port 7002 success
app82p.csau.ap.rsa.net replication port 1812 success
app82p.csau.ap.rsa.net replication port 1813 success
Adjudicator port
----------------
app82p.csau.ap.rsa.net adjudicator port 7022 success
Console ports
------------
app82p.csau.ap.rsa.net security console port 7004 success
app82p.csau.ap.rsa.net operations console port 7072 success
app82p.csau.ap.rsa.net https port 443 success
SSH port
--------
app82p.csau.ap.rsa.net ssh port 22 success
AM Services ports
-----------------
app82p.csau.ap.rsa.net auto-reg port 5550 success
app82p.csau.ap.rsa.net offline auth port 5580 success
Required by Promotion feature
-----------------------------
app82p.csau.ap.rsa.net radius configure port 7082 success
Name Resolution
Server:         192.168.31.20
Address:        192.168.31.20#53
Name:   app82r.csau.ap.rsa.net
Address: 192.168.31.52
TCP Port Checks
Authentication port
-------------------
app82r.csau.ap.rsa.net authn port 5500 success
Replication ports
-----------------
app82r.csau.ap.rsa.net replication port 7002 success
app82r.csau.ap.rsa.net replication port 1812 success
app82r.csau.ap.rsa.net replication port 1813 success
Adjudicator port
----------------
app82r.csau.ap.rsa.net adjudicator port 7022 success
Console ports
------------
app82r.csau.ap.rsa.net security console port 7004 success
app82r.csau.ap.rsa.net operations console port 7072 success
app82r.csau.ap.rsa.net https port 443 success
SSH port
--------
app82r.csau.ap.rsa.net ssh port 22 success
AM Services ports
-----------------
app82r.csau.ap.rsa.net auto-reg port 5550 success
app82r.csau.ap.rsa.net offlien auth port 5580 success
Required by Promotion feature
-----------------------------
app82r.csau.ap.rsa.net radius configure port 7082 success
Done!
Press any key to continue...


Generate a Report


Option 3 will generate a report and provide the user a report name. The content of the report is the same as the display when using Option 2.  For example:

RSA Customer Support (Asia Pacific)
Communications Check - AM TCP ports
1) Display Authentication Manager Hostnames
2) Perform Communications Check
3) Generate a Report
9) Exit
Please select an option
3
..review the log file /tmp/commcheck_201801121009.log for results..
Press any key to continue...

Should a TCP port not be available then a FAILED message will be in the display output or report, as shown here:


app82p.csau.ap.rsa.net replication port 7002 FAILED

Attachments

Outcomes