Manually generate a node secret for RSA Authentication Agent for PAM
Originally Published: 2016-03-07
Article Number
Applies To
RSA Product/Service Type: Authentication Agent for PAM
Issue
Resolution
Where perhaps a firewall or the Security-Enhanced Linux (SELinux) is stopping the storage of the node secret, an administrator could use the Node Secret Utility (agent_nsload), to manually provide the node secret to the RSA Authentication Agent for PAM. The agent_nsload is provided in the Authentication Manager 8.x Extras zip file. See 000034558 - How to download RSA Authentication Manager 8.x full kits and service packs from RSA Link for steps to download the file.
General Usage
- Ensure that SSH connectivity is enabled to the SecurID Appliance running Authentication Manager 8.x. From the Operation Console select Administration > Operating System Access. Under SSH Settings, check the option to enable eth0 and click Save.
- With WinSCP or another file transfer utility, copy the agent_nsload file (for Linux-x86_64) into /var/ace.
- Start an SSH session.
- Use the command chmod 755 /var/ace/agent_nsload to provide executable permissions.
- Login to the Security Console and navigate to Access > Authentication Agents > Manager Existing.
- Click on the entry for the PAM agent and select Manage Node Secret.
- Check Create a new random node secret, and export the node secret to a file.
- When prompted, enter an encryption password and click Save.
- With WinSCP or another file transfer utility, copy this <agent_hostname>_NodeSecret.zip file into the /var/ace.
- From an SSH session, navigate to /var/ace and unzip the <agent_hostname>_NodeSecret.zip file to access the his will provide nodesecret.rec.
- Load the node secret into the agent configuration with command /var/ace/agent_nsload -f /var/ace/nodesecret.rec -d /var/ace. The administrator will be prompted to enter the encryption password from step 6.
- Check /var/ace to confirm the existence of the securid file.
- From the Security Console, select Reporting > Real TIme Activity Monitors > Authentication Activity Monitor and click Start Monitor.
- Perform a test authentication with acetest (by default this will be in /opt/pam/bin/64bit/acetest). It is expected that authentication is successful
Start the real-time authentication activity monitor to troubleshoot any failing authentications
A secure FTP client can be used to copy files to the SecurID Appliance running RSA Authentication Manager 8.x software where ssh is enabled in the Operation Console > Administration > Operating System Access > SSH Settings. Check Interface eth0 > Save
Related Articles
Configuring RSA Authentication Agent 7.1 for PAM on SELinux Number of Views Unexpected error from ACE/Agent API for RSA Authentication Agent for PAM Number of Views How to stack a Unix authentication followed by SecurID prompt with the RSA Authentication Agent for PAM for SSH and Telnet… Number of Views Enable Linux password authentication along with RSA Authentication Agent for PAM Number of Views Does RSA PAM Agent support SELinux? Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
