AM 8.6 RADIUS Pre-Migration Script FAILURES: Error while exporting the trusted root certificate
2 years ago
Article Number
000067873
Applies To
Authentication Manager 8.5 all patches, with plans to update this system to AM 8.6.
See
UPDATE: SecurID Recommends Waiting for a RADIUS Pre-Migration Script Before Upgrading to RSA Authentication Manager 8.6
February 11, 2022
https://community.securid.com/t5/securid-product-advisories/update-securid-recommends-waiting-for-a-radius-pre-migration/ta-p/667206
 
Issue
Authentication Manager ver. 8.6 uses a new version of RADIUS, Free RADIUS, so the SBR Pulse version of RADIUS used in AM 8.5 must be migrated into Free RADIUS.  A RADIUS pre-migration script was developed by RSA Engineering to identify potential problems that could make this RADIUS migration fail. 

The RADIUS Pre-Migration Script released February 18, 2022, rsa_am_preupgrade_check-1.0.sh, reports finding a FAILURE that there was an Error while exporting the trusted root certificate.

Pre-Migration_err_cert_export

There are two causes for this finding, which is a false flag finding
1. The AM 8.5 appliance that this script was run against has restored a backup from a different AM 8.5 appliance
2. The RADIUS Pre-Migration Script released February 18, 2022 was used

The RADIUS Pre-Migration Script released February 18, 2022 is only 7KB while the March 3rd script is 9Kb.  Both were named rsa_am_preupgrade_check-1.0.sh and were included inside rsa-am-pre-upgrade-check-1.0.zip

This FAILURE is a script failure, not a potential migration error.  The RADIUS Pre-Migration Script released March 3rd, 2022 does not find this FAILURE, because this version of the script changes file permissions on the trusted root certificate file so that it can read this Certificate and decrypt the RADIUS database.
Cause
The original rsa_am_preupgrade_check-1.0.sh could not export the Root CA when AM 8.5 appliance had restored a backup from a different AM 8.5 appliance, because the Root CA file had permissions of RW for owner Root, nothing else.  The script is run as user rsaadmin, so this is a simple permission problem.

The updated  rsa_am_preupgrade_check-1.0.sh changes the permissions on this Root CA file by elevating priv with sudo
Tasks
Call Customer support and ask for the new copy of the RADIUS pre-migration script
If you see this finding, "Error while exporting the trusted root certificate" do not attempt to fix it, and DO NOT import a copy of the default console Root CA certificate into the Operations Console - Deployment Configuration - RADIUS Servers - EAP Trusted Root CA certificates.  This particular fix would break replication on the updated AM 8.6 server appliances.

====ReplicaReplication.log file====
Caused by: org.postgresql.util.PSQLException: ERROR: duplicate key value violates unique constraint "uk_ims_certificates"
  Detail: Key (name, purpose, ref_id)=(<Root_CA_filename>.der, RADIUS_TRUST_CERT, NULL) already exists.
 
Resolution
Obtain the March 3 rsa-am-pre-upgrade-check-1.0.zip, which is 9Kb.  The bad Feb. 18th rsa-am-pre-upgrade-check-1.0.zip is only 7Kb
Do not try to fix this false finding.
Workaround
ignore this single Failure when using original 7Kb script

Related Articles

Trending Articles

Don't see what you're looking for?