Self Service Console Login Fails with the Authenticate Tokencode after Upgrading the Authentication Manager V8.5 or Later
3 years ago
Originally Published: 2023-01-16
Article Number
000068062
Applies To
RSA Product Set: SecurID Access
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.5 and above
Issue
After upgrading the Authentication Manager to V8.5 and the deployment was already connected to the Cloud Authentication Service, logging in to the Self Service Console fails. 

The System Activity Monitor shows 'Identity Router not reachable' errors, despite a successful AM-to-Cloud connection in the Security Console. 

/opt/rsa/am/server/logs/imsTrace.log logs the below error: 
java.net.UnknownHostException: identityrouter.rsa-securid.com: Name or service not known
Note: The Identity Router's hostname (shown in red) could vary from one deployment to another.


 
Cause
If you upgraded Authentication Manager to version 8.5 and your deployment was already connected to the Cloud Authentication Service, you must re-connect in order to use some version 8.5 features, such as the embedded identity router and High Availability Tokencodes. To re-establish your connection, see Edit the Cloud Authentication Service Connection.

The issue here is that the AM-to-Cloud connection in Authentication Manager versions prior to 8.5 was established from the Operations Console. After upgrading to V8.5, this connection setting needs to be removed/disabled before establishing the AM-to-Cloud connection from the Security Console.
Resolution
  1. Login to the Operations Console
  2. Navigate to Deployment Configuration
  3. Click on RSA SecurID Authenticate App.
  4. Uncheck the 'Allow authentication using Authenticate Tokencodes' checkbox. 
  5. Re-establish a new connection from the Authentication Manager to the Cloud Authentication Service. Click here for the instructions to do so. 

Related Articles

Trending Articles

Don't see what you're looking for?