Authentication Manager version 8.5: Failed to register to the FedRamp - Govcloud Cloud Authentication Service
4 years ago
Originally Published: 2021-08-30
Article Number
000044282
Applies To
RSA Product Set: RSA SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.5.0
Platform: Linux
O/S Version: Suse Linux
 
Issue
Register Authentication Manager with Cloud Authentication Service Fails from the AM 8.5 Security Console - Setup - System, Authentication Settings,
ERROR: Failed to register to the Cloud Authentication Service
An unknown system error occurred.
===imsTrace.log===
2021-08-09 12:19:52,772, [[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'], (RetriveRootCertificate.java:178), trace.com.rsa.authmgr.integration.via.internal.client.RetriveRootCertificate, FATAL, <primary_FQDN>,,,,Exception while retrieving the root certificate.
java.lang.RuntimeException: io.netty.channel.ConnectTimeoutException: connection timed out: access.securidgov.com/20.140.188.86:80


Connection to https://access.securidgov.com from AM Primary and Embedded IDR fails with
FATAL, <primary>.qnet.com,,,,Exception while retrieving the root certificate.
Connection timed out: access.securidgov.com/20.140.188.86:80
Cause
Cloud Authentication Service, CAS connection for AM 8.x server and/or embedded IDR comes in two types:
  1. Original, Non-FedRamp to https://access.securid.com supported since AM 8.3 P1
  2. Newer, FedRamp  to  https://access.securidgov.com which is CAS for Govcloud sites, supported in AM 8.5 P5 and AM 8.6 P1 or later.

Both connections are essentially the same, though they have slightly different Certificate Trust chains that must be included in an internal .jks key store by Engineering in a specific patch or version of Authentication Manager.

Typical registration failure messages are somewhat clear, like this: Invalid or expired registration code
SC-Setup-System-CAS-config-failed.png

But when you see unknown system error occurred
is the Security Console, and the /opt/rsa/am/server/logs/imsTrace.log shows 
FATAL, <primary_FQDN>,,,,Exception while retrieving the root certificate.
java.lang.RuntimeException: io.netty.channel.ConnectTimeoutException: connection timed out: access.securidgov.com/20.140.188.86:80

The first thing to check is that you have AM 8.5 patch 5.
Resolution
Authentication Manager, AM version 8.5 patch 5 readme has the following fix.
AM-42355. Added support for the FedRAMP domain name securidgov.com to the embedded identity router.

You need AM 8.5 P5 or AM 8.6 P1 or later.
Notes
This error sounds and feels like there is a proxy Server controlling access to the Internet, so you could spend time looking at Knowledge Base, KB articles 38668 or 38779, where you add proxy server Certificates to the /opt/rsa/am/server/security/trust.jks with keytool - this is in case the proxy server terminates the SSL connection from within the Corp network and build a new SSL connection to https://access.securid.com  or  https://access.securidgov.com
 

Related Articles

Trending Articles

Don't see what you're looking for?