Resolution | Hover over the test failure in the Admin Console UI to see error details:
- If the error message is The agent name entered is not defined in the Authentication Manager, confirm that the authentication agent name that is configured on the RSA SecurID Access side is an exact match of the agent name that is configured on the RSA Authentication Manager. Also confirm that RSA Authentication Manager replication is working (that is, all replicas also have the IDR agent name in their list of agents).
- If the error message is Cannot reach the Authentication Manager with the specified host address, confirm that the IDR can resolve the RSA Authentication Manager hostname by following Access SSH for Identity Router Troubleshooting and verify name resolution with nslookup:
nslookup <RSA Authentication Manager fully qualified hostname>
- If name resolution is not a problem, then view the IDR's /var/log/symplified/symplified.log from the Administration Console UI or from a downloaded log bundle to see if a problem is logged.
- Verify that nothing is blocking traffic between the IDR and RSA Authentication Manager. Running a wget command should successfully connect and return data:
wget --no-check-certificate --bind-address <IDR management IP> https://<RSA Authentication Manager IP address>
- See article 000035849 - RSA SecurID Access Authentication Manager Test Connection Fails to check if there is a problem with the sdconf.rec Authentication Manager root certificate.
- If the error message is Cannot connect to the Authentication Manager due to unknown error and the IDR's symplified log shows errors like what is shown below, ensure that a valid sdconf.rec file (not the AM_Config.zip file that contains it, for example) was uploaded to the Administration Console's Platform > Authentication Manager > Connection Settings:
2019-12-16/20:22:30.621/UTC [Thread-343743] FATAL com.rsa.authagent.authapi.v8.logger.b[?] - Exception unmarshalling type: java.lang.Class Exception: Content is not allowed in prolog. 019-12-16/20:22:30.622/UTC [Thread-343743] ERROR com.rsa.authagent.authapi.v8.logger.b[?] - {RealmConfig.updateNewProtocolInfo} Invalid config file Invalid bootstrap data 2019-12-16/20:22:30.622/UTC [Thread-343743] ERROR com.rsa.authagent.authapi.v8.logger.b[?] - Invalid configuration fileInvalid bootstrap data 2019-12-16/20:22:30.622/UTC [Thread-343743] ERROR com.rsa.nga.sidproxy.AuthSessionFactoryManager[224] - unable to connect to the AM server
- If the IDR's symplified.log shows an error like the one below (where IDRHOSTNAME is the IDR's proxy or single-NIC interface hostname), try adding a static DNS entry that maps the IDR's portal hostname to its IP address. This can be done from the Cloud Administration Console (Platform > Identity Router > Edit > Settings > Static DNS Entries).
2019-11-08/16:29:28.607/UTC [pool-4-thread-11] ERROR com.rsa.nga.sidproxy.SidAuthentication[265] - Failed to verify session factory com.rsa.authagent.authapi.AuthAgentException: com.rsa.authagent.authapi.AuthAgentException: the current host is unknownIDRHOSTNAME: IDRHOSTNAME: Name or service not known IDRHOSTNAME: IDRHOSTNAME: Name or service not known- If the IDR has two NICs:
- If the IDR has a single NIC:
- Add a static DNS entry that maps the IDR's portal hostname to its interface IP address. Include both the portal hostname FQDN and shortname (separated by a space) as the alias value.
- If the error message is Cannot connect to the Authentication Manager due to unknown error and the IDR's symplified.log is not providing enough information, contact RSA Customer Support and reference this article.
- If the IDR's symplified.log shows errors like sdconf.rec does not exist or sdconf.rec not found or unable to write sdconf.rec, contact RSA Customer Support for assistance.
|