RSA Authentication Manager no longer connects to the RSA Cloud Access Service

5 months ago

Article Number

000073676

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4 / 8.5 / 8.6 / 8.7 / 8.7 SP1 / 8.7 SP2

Issue

The Security Console reports "Unable to retrieve the certificate.Contact your help desk or your network administrator."

For example:

Connection to RSA Cloud Authentication Service fails with "Failed to register to the RSA Cloud Authentication Service".

For example:

Where Authentication Manager Trace log has been set to 'Verbose' the /opt/rsa/am/server/logs/imsTrace.log file reports the following exception:

2025-10-28 09:04:11,099, [[ACTIVE] ExecuteThread: '14' for queue: 'weblogic.kernel.Default (self-tuning)'], (CASApiAdminOperationsImpl.java:722), trace.com.rsa.internal.admin.casapimgmt.impl.CASApiAdminOperationsImpl, FATAL, am87sp2A.securidcsapj.local,,,,SSL Exception
javax.net.ssl.SSLException: Certificate not verified.
        at com.rsa.sslj.x.aI.b(Unknown Source)
        at com.rsa.sslj.x.aI.a(Unknown Source)
        at com.rsa.sslj.x.aI.a(Unknown Source)
        at com.rsa.sslj.x.ap.c(Unknown Source)
        at com.rsa.sslj.x.ap.a(Unknown Source)
        at com.rsa.sslj.x.ap.j(Unknown Source)
        at com.rsa.sslj.x.ap.i(Unknown Source)
        at com.rsa.sslj.x.ap.h(Unknown Source)
        at com.rsa.sslj.x.aT.startHandshake(Unknown Source)
        at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
        at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
        at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
        at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
        at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
        at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
        at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
        at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
        at okhttp3.RealCall.execute(RealCall.java:81)
        at com.rsa.internal.admin.casapimgmt.impl.CASApiAdminOperationsImpl.a(CASApiAdminOperationsImpl.java:926)
        at com.rsa.internal.admin.casapimgmt.impl.CASApiAdminOperationsImpl.c(CASApiAdminOperationsImpl.java:675)
        at com.rsa.internal.admin.casapimgmt.impl.CASApiAdminOperationsImpl.performCasRegistration(CASApiAdminOperationsImpl.java:372)
        at com.rsa.internal.admin.casapimgmt.CASRegistrationApiCommand$Executive.execute(CASRegistrationApiCommand.java:40)
        at com.rsa.internal.admin.casapimgmt.CASRegistrationApiCommand.performExecute(CASRegistrationApiCommand.java:157)
        at com.rsa.command.LocalTarget.executeCommand(LocalTarget.java:119)
        at com.rsa.ims.command.LocalTransactionalCommandTarget.access$0(LocalTransactionalCommandTarget.java:1)
        at com.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:268)
        at com.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:1)
        at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:131)
        at com.rsa.ims.command.LocalTransactionalCommandTarget.executeCommand(LocalTransactionalCommandTarget.java:260)
        at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:933)
		at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:1)
        at com.rsa.ims.security.spi.SimpleSecurityContextImpl.doAs(SimpleSecurityContextImpl.java:113)
        at com.rsa.security.SecurityContext.doAs(SecurityContext.java:439)
        at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:445)
        at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:373)
        at com.rsa.command.CommandServerBean.executeCommand(CommandServerBean.java:89)
        at sun.reflect.GeneratedMethodAccessor249.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344)
        at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198)
        at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
        at com.oracle.pitchfork.intercept.MethodInvocationInvocationContext.proceed(MethodInvocationInvocationContext.java:101)
        at com.oracle.pitchfork.intercept.JeeInterceptorInterceptor.invoke(JeeInterceptorInterceptor.java:101)
        at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
        at com.oracle.pitchfork.intercept.MethodInvocationInvocationContext.proceed(MethodInvocationInvocationContext.java:101)
        at org.jboss.weld.module.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:81)
        at org.jboss.weld.module.ejb.SessionBeanInterceptor.aroundInvoke(SessionBeanInterceptor.java:52)
        at sun.reflect.GeneratedMethodAccessor248.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43
		at java.lang.reflect.Method.invoke(Method.java:498)
        at com.oracle.pitchfork.intercept.JeeInterceptorInterceptor.invoke(JeeInterceptorInterceptor.java:94)
        at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
        at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:136)
        at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:124)
        at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
        at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
        at com.sun.proxy.$Proxy280.executeCommand(Unknown Source)
        at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl.__WL_invoke(Unknown Source)
        at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invokeInternal(SessionRemoteMethodInvoker.java:54)
        at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:21)
        at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl.executeCommand(Unknown Source)
        at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl_WLSkel.invoke(Unknown Source)
        at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:685)
        at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:246)
        at weblogic.rmi.internal.BasicServerRef$3.run(BasicServerRef.java:564)
        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:386)
        at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:163)
        at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:561)
        at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:144)
        at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:352)
        at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:337)
        at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:57)
        at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
        at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:651)
        at weblogic.work.ExecuteThread.execute(ExecuteThread.java:420)
        at weblogic.work.ExecuteThread.run(ExecuteThread.java:360)
Caused by: com.rsa.sslj.x.aL: Certificate not verified.
        at com.rsa.sslj.x.bm.a(Unknown Source)
        at com.rsa.sslj.x.bm.a(Unknown Source)
        at com.rsa.sslj.x.bm.a(Unknown Source)
        ... 87 more
Caused by: java.security.cert.CertificateException: the certificate chain is not trusted, Could not validate path.
        at com.rsa.sslj.x.cq.a(Unknown Source)
        at com.rsa.sslj.x.cq.checkServerTrusted(Unknown Source)
        at com.rsa.sslj.x.cq.checkServerTrusted(Unknown Source)
        at com.rsa.sslj.x.aF.a(Unknown Source)
        ... 90 more

The telemetry feature will fail to connect to URL telemetry.access.securid.com with the following message reported in the /opt/rsa/am/server/logs/imsTrace.log file (where Trace log has been set to Verbose):

2025-10-20 21:38:01,982, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (CommandServerEngine.java:897), trace.com.rsa.command.CommandServerEngine, DEBUG, am87sp2.securidcs.net,,,,Command : class com.rsa.am.telemetry.TelemetryTestConnectionCommand
        Execution Exception: com.rsa.common.SystemException: Telemetry Test connection error
com.rsa.common.SystemException: Telemetry Test connection error

Cause

RSA has recently moved to using DigiCert Global CA certificates for the Cloud Access Service (and this includes telemetry.access.securid.com). RSA has posted advisories for this change at URL https://community.rsa.com/s/advisories.

Resolution

Customers are advised to upgrade to at least RSA Authentication Manager 8.7 Service Pack 2 Patch 6, as this includes the required certificates to connect to the Cloud Access Service (and telemetry.access.securid.com).

RSA has published the RSA Authentication Manager Upgrade Process at URL https://community.rsa.com/s/article/RSA-Authentication-Manager-Upgrade-Process. The procedure used to apply a software update or patch to an Authentication manager instance is provided at URL https://community.rsa.com/s/article/RSA-Authentication-Manager-Updates-51569344.

Notes

Setting RSA Authentication Manager Trace Log to ‘Verbose’

In the primary instance Security Console > Setup > System Settings > Logging > select Instance Type (e.g. Primary) and click Next button > set Trace Log to ‘Verbose’ > select ‘Apply the above settings to the replica instance(s) upon save.’ > Save

NOTE: Make a note of the original Trace log value so this value can be returned after troubleshooting has been completed. The default value for Trace log is ‘Fatal’.

Debug data is captured in the /opt/rsa/am/server/logs/imsTrace.log log file on the primary and any replica instances.

Software Update Links

AM Software Version	Software URL Link
AM 8.7 SP2 P6	https://community.rsa.com/s/product-download/a9GPO00000009Xx2AI/rsa-authentication-manager-87-sp2-patch-6-update-download

** Requires a registered account for the RSA Community site to access RSA Authentication Manager software updates/patches. Refer to a section called ‘RSA Community site registration’ below.

Documentation Links

AM Software	Release Notes / ReadMe URL Link
AM 8.7 SP2 P6	https://community.rsa.com/s/article/RSA-Authentication-Manager-8-7-SP2-Patch-6-Readme

RSA Community site registration

RSA software downloads require a registered account on the RSA Community site. Registration for an RSA Community site account can be performed at https://enroll.rsasecurity.com/#/form/validation or refer to URL https://community.rsa.com/s/news/registering-for-an-rsa-community-account-MC5FFKBFBKVJBFXM45BR6JDF4HD4 for addition help on the registration process.

RSA Partners who are registering for an RSA Community account will require their Partner Site ID (UCID). Please refer to URL https://community.rsa.com/s/article/Where-can-I-find-my-Partner-Site-ID-if-I-am-an-RSA-SecurWorld-Partner.

Any issues with registering an RSA Community account or the download of RSA SecurID / ID Plus software can be reported to a representative of the RSA Customer Relations Desk where a new case will be opened.

RSA Customer Support phone numbers

RSA Customer Support can be contacted on one of the support phone numbers listed at URL https://community.rsa.com/s/news/how-to-contact-rsa-support-MCXZ5QDM4ZQZATLL3Y6NMQVUNYWE (towards the end of the page) or URL https://www.rsa.com/support/#technicalsupport.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles