000036031 - RSA Authentication Manager cannot connect to the RSA Identity Router when configuring an Authentication Manager integration

Document created by RSA Customer Support Employee on Feb 16, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036031
Applies ToRSA Product Set: SecurID Access
RSA Product/Service Type: Identity Router and Authentication Manager
RSA Version/Condition: IDR and later,  Authentication Manager 8.2 and later
IssueWhen configuring RSA Authentication Manager and the RSA Cloud Authentication Service to Enable Cloud Authentication Service Users to Access Resources Protected by RSA SecurID, a correctly configured Authentication Manager server is unable to connect to a correctly configured RSA Identity Router (IDR) when the Test Connection button is clicked in the Authentication Manager Operations Console.  The following error is displayed on the Operations Console page:

Authentication Manager cannot connect to any identity routers. Authenticate Tokencodes are not available.

At the same time, the log of the IDR to which Authentication Manager attempted to connect, will show an event with this format:

ERROR com.symplified.application.appliance.api.authentication.RestAuthenticationInInterceptor[195] - Unable to parse date "AM-date-time-timezone"
com.symplified.platform.webservice.WebServiceApiException: code=INTERNAL_SERVER_ERROR,detail=Unable to parse date "AM-date-time-timezone"

where, AM-date-time-timezone is the date, time and configured time zone of Authentication Manager at the time of the test.  For example, "Fri, 02-Feb-18 10:36:11 Hawaii-Aleutian Standard Time"

The IDR error event will also be logged if an actual authentication is attempted using this feature, and the authentication will fail.

CauseFor a limited number of time zones, there is an incompatibility between the time zone name string in Authentication Manager and the IDR.  The affected time zones will vary depending on the version of Authentication Manager and the RSA Identity Router.  For example, when using RSA Authentication Manager 8.2 SP1 with the February 2018 release of the RSA Cloud Authentication Service (IDR the following time zones will be affected:
  • America/Adak: Hawaii-Aleutian Standard Time,
  • America/Atka: Hawaii-Aleutian Standard Time,
  • Asia/Khandyga: Khandyga Time, and
  • US/Aleutian: Hawaii-Aleutian Standard Time.
WorkaroundUpdate System Date and Time Settings in RSA Authentication Manager to use another time zone with the same UTC offset.  Take care that the Daylight Savings Time changes for the chosen temporary time zone occur on the same day and time as your actual region.

The use of a temporary time zone should be maintained until a fix for this issue is released by RSA and your IDRs and/or Authentication Manager (according to the release instructions) are upgraded to the fixed version(s).
NotesThere are other reasons that can cause Authentication Manager to be unable to connect to the IDR, resulting in the same Authentication Manager error message to be logged or this type of authentication to fail.

This article only applies if the INTERNAL_SERVER_ERROR and Unable to parse date error event described in the Issue section above is also logged by the IDR.  To check for this event, the IDR system log can be viewed in one of the following two ways:
Each test or authentication sent from Authentication Manager will go to just one of the available IDRs in your Cloud Authentication Service deployment.  The IDR used will change each time, usually in a round robin pattern, according to your load balancer configuration.  Therefore it is important to check the system log from every one of the IDRs to which the test or authentication may have been sent.