RSA Authentication Agent 7.1 for PAM for AIX acetest program fails to authenticate a username
2 years ago
Originally Published: 2016-10-24
Article Number
000042801
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for PAM
RSA Version/Condition: 7.1
Issue
The acetest program included with the PAM agent reports the following error when installed on IBM AIX:

Unexpected error from ACE/Agent API 

The real-time authentication activity monitor reports the following error when authentications are sent to an Authentication Manager server:

Node secret mismatch: cleared on agent but not on server

Cause
The RSA Authentication Agent for PAM for AIX are 32-bit binaries and the PAM agent has been installed onto a 64-bit IBM AIX server where another third-party product is using 64-bit binaries and acting as another authentication agent. The node secret was created by the third-party product and the PAM agent is unable to read the node secret.
Resolution
The third-party product on the IBM AIX server and RSA Authentication Agent for PAM for IBM AIX must use different folders to store the SecurID configuration files. A conversion utility provided with the PAM agent called ns_conv_util can be used to convert the node secret file (securid) created by the third-party product which allows the PAM agent to read the converted node secret.

NOTE: The default location of the SecurID configuration files used by the PAM agent is /var/ace, but this can be changed by editing the /etc/sd_pam.conf file.

For information on the usage of ns_conv_util, please refer to pages 18 and 19 of the RSA Authentication Agent 7.1 for PAM Installation and Configuration Guide for AIX.
Notes
The SecurID configuration files are:
  • The sdconf.rec (configuration record generated from the Security Console),
  • The securid (node secret) normally created during the first authentication attempt from the agent to the Authentication Manager server(s),
  • The sdstatus.12 created by the PAM agent that lists servers in the deplyment and which are responding fastest, and
  • The sdopts.rec which allows for an IP address to be specified that is used to communicate with the Authentication Manager deployment server(s).

Related Articles

Trending Articles

Don't see what you're looking for?