Change the Authentication Service port number for RSA Authentication Manager 8.x
2 years ago
Originally Published: 2015-11-25
Article Number
000049944
Applies To
RSA Product Set: SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition: 8.1 Service Pack 1 or later
Issue
This article explains how to change the default Authentication Service port of 5500/UDP to another port number.
Tasks
To change the Authentication Service port number, follow the steps below:
  1. Logon to the Security Console with an administrative account.
  2. Navigate to Setup > System Settings.
  3. From Authentication Settings, click on Agents.
  4. Under Communication Ports, change the Authentication Service port number.
  5. Click Save.
For example,
 
User-added image
  1. In the Security Console, click Access  > Authentication Agents.
  2. Click Generate Configuration File > Generate Configuration File.
  3. Click Download Now to save the AM_Config.zip locally.  The file contains the new sdconf.rec.
  4. Where SSH is enabled for command line access, use a a secure FTP client (such as WinSCP) to copy the new sdconf.rec to /tmp of the Authentication Manager primary instance.
  5. At the command line using the rsaadmin account, navigate to the /opt/rsa/am/radius folder.
  6. Make a copy of the existing sdconf.rec file and name it sdconf.rec-5500:
cp sdconf.rec sdconf.rec-5500
  1. Copy the new sdconf.rec from /tmp to /opt/rsa/am/radius:
cp /tmp/sdconf.rec /opt/rsa/am/radius/sdconf.rec

Failing to update the sdconf.rec file correctly will result in the message Failed to initialize communications for SecurID authentication (result = 23) being generated in the RADIUS date.log file (named yyyymmdd.log; based on the current date. For example: 20190730.log).

  1. Reboot the SecurID appliance instance for the new port number to be used by the Authentication Service.  Reboot in one of two ways:
  • Login to the Operations Console and select Maintenance > Reboot Appliance.
  • At the command line type
/opt/rsa/am/server/rsaserv restart all
  1. At the command line check the authentication service is listening on the new port number:
netstat –ano | grep <port_number>

For example, where the new authentication service port number is 5516: armadillo
  
rsaadmin@am81p:~> netstat -ano | grep 5516
udp        0      0 127.0.0.1:5516          :::*                                off (0.00/0/0)
udp        0      0 127.0.0.2:5516          :::*                                off (0.00/0/0)
udp        0      0 192.168.31.14:5516      :::*                                off (0.00/0/0)
rsaadmin@am81p:~>
  1. Update the deployed RSA Authentication Agents with the new sdconf.rec. 
    1. Close the agent.
    2. Find the existing sdconf.rec on the agent machine. 
    3. Rename the file to sdconf.rec.old. 
    4. Paste the new sdconf.rec into the same directory.  
    5. Restart the agent.
    6. Confirm that the port number has been updated.
The screen shot shown here is of the RSA Authentication Agent using the new port 5516:
 
User-added image



Troubleshooting

To troubleshoot incoming SecurID authentications on the new port number use the following command:

sudo tcpdump -i eth0 -Z root -n -A -v port <port_number>

The example below shows tcpdump capturing packets for a successful authentication on port 5516: 
rsaadmin@am81p:~> sudo tcpdump -i eth0 -Z root -n -A -v port 5516
rsaadmin's password: <enter operating system password>
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:46:32.741789 IP (tos 0x0, ttl 126, id 32236, offset 0, flags [none], proto UDP (17), length 152) 192.168.54.61.49710 > 192.168.31.14.5516: UDP, length 124
E...}...~....>.=
>.........Hg...............................................................
15:46:32.742807 IP (tos 0x0, ttl 64, id 8425, offset 0, flags [DF], proto UDP (17), length 152) 192.168.31.14.5516 > 192.168.54.61.49710: UDP, length 124
E... .@.@.F.
>...>.=.......\g..............
.....eZtWnf7wj7fPElD9reNCyQ==...........
15:46:37.273177 IP (tos 0x0, ttl 126, id 32262, offset 0, flags [DF], proto UDP (17), length 580) 192.168.54.61.49710 > 192.168.31.14.5516: UDP, length 552
E..D~.@.~....>.=
>.......0.?[.]..............L....>;j...'m....F. ?.O........8......!HxI4*0.H
15:46:37.291612 IP (tos 0x0, ttl 64, id 8426, offset 0, flags [DF], proto UDP (17), length 536) 192.168.31.14.5516 > 192.168.54.61.49710: UDP, length 508
E... .@.@.E$
>...>.=........l.].........VS...D.;.........    ...Y0.................G.m......jG.
15:46:37.306156 IP (tos 0x0, ttl 126, id 32264, offset 0, flags [DF], proto UDP (17), length 580) 192.168.54.61.49710 > 192.168.31.14.5516: UDP, length 552
E..D~.@.~....>.=
>.......0.k\.%...............I<.d..N.F.Er..t..o&.Q....:..../.a..Y...$|..RU%
15:46:39.306804 IP (tos 0x0, ttl 64, id 8427, offset 0, flags [DF], proto UDP (17), length 536) 192.168.31.14.5516 > 192.168.54.61.49710: UDP, length 508
E... .@.@.E#
>...>.=........l.%...............E.....U....<5.l. ..]...34. ..-t..<...r..~....h
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
 
Notes
Changing the Authentication Service port number on the Authentication Manager primary instance automatically updates the Authentication Manager replica instance(s); however, the RSA RADIUS requires a new sdconf.rec and the Authentication Manager instance requires a reboot after making the changes spelled out in the Tasks section above.

Related Articles

Trending Articles

Don't see what you're looking for?