On-demand token delivery is not working after upgrading to RSA Authentication Manager 8.4
Originally Published: 2020-09-18
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4 and higher.
Issue
Failed to send message. SSL connection not verified with peer. Please check that the certificate you imported is valid for this deployment
The /opt/rsa/am/server/logs/imsTrace.log is showing the following errors:
2020-06-08 17:39:26,471, [SMSMessageProcessor Core Thread #4], (HTTPPlugin.java:306), trace.com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin, ERROR, prdvrsamsha01.kpmgmgmt.com,,,, Failed to send an SMS message via HTTP javax.net.ssl.SSLPeerUnverifiedException: No certificate found in session or SSL peer not authenticated. at com.rsa.authmgr.internal.smsplugin.impl.SMSSecureProtocolSocketFactory.verifyHostname(SMSSecureProtocolSocketFactory.java:236) at com.rsa.authmgr.internal.smsplugin.impl.SMSSecureProtocolSocketFactory.createSocket(SMSSecureProtocolSocketFactory.java:198) at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706) at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1321) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324) at com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin.executeSendMessage(HTTPPlugin.java:356) at com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin.sendRequest(HTTPPlugin.java:302) at com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin.send(HTTPPlugin.java:279) at com.rsa.authmgr.internal.message.processor.impl.MessageHandlerImpl.handle(MessageHandlerImpl.java:84) at com.rsa.authmgr.internal.message.processor.impl.MessageProcessorImpl$MessageProcessorTask.run(MessageProcessorImpl.java:493) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) 2020-06-08 17:39:26,472, [SMSMessageProcessor Core Thread #4], (HTTPPlugin.java:281), trace.com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin, ERROR, prdvrsamsha01.kpmgmgmt.com,,,,Failed to create SMS HTTP request com.rsa.common.InvalidArgumentException: Failed to send SMS message via HTTP at com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin.sendRequest(HTTPPlugin.java:309) at com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin.send(HTTPPlugin.java:279) at com.rsa.authmgr.internal.message.processor.impl.MessageHandlerImpl.handle(MessageHandlerImpl.java:84) at com.rsa.authmgr.internal.message.processor.impl.MessageProcessorImpl$MessageProcessorTask.run(MessageProcessorImpl.java:493) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
The ODA certificate is valid and not expired.
Cause
Resolution
If the AM is running on 8.4 P2 or higher the hotfix is already available so the utility could be applied directly following the below steps:
- Open an SSH session on the Authentication manager server. Login as the rsaadmin user, noting that during Quick Setup another username may have been selected. If that is the case, that username to login.
- Go to /opt/rsa/am/utils.
- Run the command.
./rsautil store -a add_config ims.tls.cipher_list.use_via_trust true GLOBAL BOOLEAN.
This global variable prevents Authentication Manager 8.4 from including the TLS_DHE_RSA_WITH_AES_256_GCM_SHA_384 cipher suite in the SSL client hello.
login as: rsaadmin Using keyboard-interactive authentication. Password: <enter operating system password> Last login: Tue FEb 26 10:36:31 2018 from 192.168.2.102 RSA Authentication Manager Installation Directory: /opt/rsa/am rsaadmin@am82p:~> cd /opt/rsa/am/utils saadmin@am82p:/opt/rsa/am/utils> ./rsautil store -a add_config ims.tls.cipher_list.use_via_trust true GLOBAL BOOLEAN Please enter OC Administrator username: <enter Operations Console administrator name> Please enter OC Administrator password: <enter Operations Console administrator password> psql.bin:/tmp/f8e39a3c-a614-41e3-be96-299e670f0a73525273943558510875.sql;0108; NOTICE: Added the new configuration parameter "ims.tls.cipher_list.use_via_trust" with the value "true" add_config --------------------- (1 row) If the configuration parameter "ims.tls.cipher_list.use_via_trust" is already added you can update it using the below command. saadmin@am82p:/opt/rsa/am/utils> ./rsautil store -a update_config ims.tls.cipher_list.use_via_trust false GLOBAL BOOLEAN Please enter OC Administrator user name: <enter Operations Console administrator name> Please enter OC Administrator password: <enter Operations Console administrator password> psql.bin:/tmp/e6871864-6126-47cc-af20-0c261a3bbb643013521437038491182.sql;167; NOTICE: Added the new configuration parameter "ims.tls.cipher_list.use_via_trust" from "true" to "false" for the instance 'GLOBAL'. update_config --------------------- (1 row) |
Notes
Attachments
If the attachment does not open when clicked, please refresh the page and try again. You must be logged into view the file(s).
Related Articles
How to verify NTP server synchronization is not working in RSA Authentication Manager 8.x Number of Views Replica fail over is not working on PAM agent version v7.1.0.149.01 for RSA Authentication Manager Number of Views RSA SecurID Access Automatic Integrated Windows Authentication (IWA) not working Number of Views Alias host name redirect to consoles is not working after upgrade to RSA Authentication Manager 8.3 patch 1 Number of Views SNMP queries and traps not working after configuring Authentication/Privacy passwords on RSA Authentication Manager 8.x Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process RSA Release Notes for RSA Authentication Manager 8.8 RSA RADIUS Server service failed to start in the RSA Authentication Manager 8.1 Operations Console Microsoft Entra ID External MFA - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide RSA Release Notes: Cloud Access Service and RSA Authenticators
Don't see what you're looking for?
