000035905 - RSA Authentication Agent 8.0 for Web for Apache Web Server certificate verification failed

Document created by RSA Customer Support Employee on May 14, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035905
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent 8.0 for Web for Apache Web Server
Platform: Linux
Product Description: TCP based agent
IssueThe following error is seen in the agent log:
  • Invalid certificate name
  • Unable to verify certificate

118-00-03 12:38:23 4294967295.3952.2701068096 [E] error SignatureVerifier.cpp 248 The certificate verification failed
118-00-03 12:38:23 4294967295.3952.2701068096 [V] verbose SignatureVerifier.cpp 258 Leaving validateConfiguration()

CauseA certificate resides inside the sdconf.rec file that is only used for TCP based agent connection.

If, at some point, the Authentication Manager server name changed after its initial deployment, that certificate doesn't change (for backward compatibility) and at that point any new TCP agent when trying to connect it finds that the Authentication Manager server has a different name other than the one in the subject name in the current certificate, thus failing.
ResolutionTo fix this issue we will need to update the sdconf.rec certificate and then generate a new sdconf.rec file with the new certificate.

To get the certificate and update it

  1. On the primary Authentication Manager server, open Internet Explorer and go to https://<primary hostname >:7002

Port 7002 is used for communication between an Authentication Manager primary and replica instances and for communication between replica instances (for replay detection).


  User-added image

  1. Click on the Certificate error.
  2. Choose the top certificate and click View Certificate.
  3. Click the Copy To File... button.
  4. Click Next.
  5. Click Next > again.  Be sure to leave the DER encoding format.
  6. Enter a name to save the DER-encoded root certificate.
  7. Login to the Security Console and select Setup > System Settings.  
  8. Under the heading for Authentication Settings, click Agents.  
  9. On the top left of the page click the link where it says To configure agents using IPv6, click here.
  10. Scroll down to the section on Existing Certificate Details.
  11. Click the button next to Import Certificate of the New Primary Server that is labeled Choose File
  12. A common dialog box will open.  Browse to the saved certificate, select it and click Open
  13. When done, click Update.
  14. Generate a new configuration file (sdconf.rec) for the agent by selecting Access > Authentication Agents > Generate Configuration File > Generate Config File.  
  15. Replace the existing sdconf.rec on the agent with the newly generated sdconf.rec.
NotesThis solution would apply to any TCP-based agent that uses certificates for establishing secure connections.