How to troubleshoot CT-KIP failures in Authentication Manager 8.x
Originally Published: 2024-07-01
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
Version(s): 8.x
Issue
- How to enable verbose / debug logging on Authentication Manager, AM Web Tier v. 8.x, and
- Enabling debug for troubleshooting an RSA Authentication Manager 8.x web tier deployment, with a focus on the two-step CT-KIP process as seen in the Authentication Manager Real Time Monitor.
Time Stamp |
Admin Action |
Admin ID |
|---|---|---|
17:04:14 |
Delete CTKip Authcode |
trustedapp |
17:04:14 |
Generate CTKip key |
trustedapp |
17:04:12 |
Create CTKip Authcode |
<Admin>, e.g. amisbind or other UserID |
17:04:12 |
update Token |
amisbind |
17:04:12 |
update Token |
amisbind |
17:04:11 |
Create file data |
amisbind |
17:04:11 |
export Token |
amisbind |
17:04:11 |
update Token |
amisbind |
17:04:11 |
Link SWT with SWTDT definition file |
amisbind |
17:04:11 |
update Token |
amisbind |
17:04:10 |
Link Token with Principal |
amisbind |
Tasks
- Enable debug for troubleshooting an RSA Authentication Manager 8.x web tier deployment.
- Start the Admin Activity real time monitor (Reporting > Reports > Real Time Monitor > Administration Activity Monitor).
- Reproduce the CT-KIP issue.
- Attach the report to your technical support case for review.
Resolution
- The user ID is assigned a token serial number, which might occur previously to the CT-KIP import.
- The user requests the token, possibly through the Self-Service Console or portal, or through a custom app. The request might be for a new token, or a replacement token. A Software
- The user imports the token via the CT-KIP URL, which was created when the user requested the software token in step 2 above.
In step 1 the user might be assigned a new or replacement token in real time via a Self-Service Console, portal or app. The administration activity monitor will have various steps such as:
'update Token',
'Link Token with Principal',
'Link SWT with SWTDT definition file'
'export Token' and
'Create file data'
All activity is performed by an administrator, including an automated account such as amisbind, which is typical of AMIS or Authentication Manager Prime integrations.In step 2 as the user requests a new or replacement software token, after the serial number is assigned and the user Principal information updated, there will be a first step in the two-step process to import a software token via the CT-KIP protocol. That step shows as Create CTKip Authcode and is performed by the Authentication Manager administrator account linked to the application or the Self-Service portal, e. g., amisbind or another user ID. In the example above in the Issue section, "Create CTKip Authcode" is the third from last (top) real time admin log entry in the process.
Notes
Third part: The second step of CT-KIP import
Time Stamp |
Admin Action |
Admin ID |
|---|---|---|
17:04:14 |
Delete CTKip Authcode |
trustedapp |
17:04:14 |
Generate CTKip key |
trustedapp |
Second part: First step of CT-KIP import
Time Stamp |
Admin Action |
Admin ID |
|---|---|---|
17:04:12 |
Create CTKip Authcode |
<Admin>, e.g. amisbind or other UserID |
First part: Software token assignment logs
Time Stamp |
Admin Action |
Admin ID |
|---|---|---|
17:04:12 |
update Token |
amisbind |
17:04:12 |
update Token |
amisbind |
17:04:11 |
Create file data |
amisbind |
17:04:11 |
export Token |
amisbind |
17:04:11 |
update Token |
amisbind |
17:04:11 |
Link SWT with SWTDT definition file |
amisbind |
17:04:11 |
update Token |
amisbind |
17:04:10 |
Link Token with Principal |
amisbind |
Notice also that when the CT-KIP Authcode is generated, it is at the same time that it is deleted. Sometimes these steps will be reversed in order, e.g., the Delete looks like it came before the Generate. This has not been seen as a problem. It is simple a logging sequence issue.
Time Stamp |
Admin Action |
Admin ID |
|---|---|---|
17:04:14
|
Generate CTKip key
|
trustedapp
|
|
17:04:14 |
Delete CTKip Authcode |
trustedapp |
Related Articles
RSA Authentication Manager 7.1 to 8.1 - Upgrading an Existing Hardware Appliance 3.0 Number of Views [XrcXUDADUNABLE]: unable to contact directory server Number of Views Add a RADIUS Attribute Definition to a Dictionary Number of Views Deep Links for token import fails on Android 12 Number of Views Creating a Trust Relationship Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process RSA Release Notes for RSA Authentication Manager 8.8 RSA RADIUS Server service failed to start in the RSA Authentication Manager 8.1 Operations Console Microsoft Entra ID External MFA - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide RSA Release Notes: Cloud Access Service and RSA Authenticators
Don't see what you're looking for?
