Update to Authentication Manager 8.6 (base, P1 or P2) with replacement console certificates causes RADIUS "Can't connect to" Authentication failures
Article Number
Applies To
Issue
AM 8.6 P3 has a fix for this.
AM 8.5 is not affected by this.
Workaround would be to revert console replacement certificate back to RSA self-signed certificate
Tasks
2. copy radius-am-8.6.0.2.0.jar to AM server
3. If necessary, i.e. you are not running AM 8.6 patch 2, rename radius-am-8.6.0.2.0.jar to your patch level, either 0, 1 or 2
4. verify there are two .jar file; radius-am-8.6.0.x.0.jar and radius-am-8.6.0.x.0.jar.BAK, where .x is your patch level; 0, 1 or 2
5. copy radius-am-8.6.0.x.0.jar to other RADIUS directories
6. make backup copy of config.xml
7. edit config.xml
8. Delete 2 files; radius_connector.ini & securID_radius_connector.crt
9. restart the services
Resolution
cd /opt/rsa/am/server/servers/biztier/tmp/_WL_user/am-app/cl8cne/APP-INF/lib
cp radius-am-8.6.0.1.0.jar radius-am-8.6.0.1.0.jar.BAK
2. copy radius-am-8.6.0.2.0.jar to AM server with SCP, put in /opt/rsa/am/server/servers/biztier/tmp/_WL_user/am-app/cl8cne/APP-INF/lib directory (step 1 directory)
cp /tmp/radius-am-8.6.0.2.0.jar .
3. If necessary, i.e. you are not running AM 8.6 patch 2, rename radius-am-8.6.0.2.0.jar to your patch level, either 0, 1 or 2
mv radius-am-8.6.0.2.0.jar radius-am-8.6.0.1.0.jar
4. verify there are two .jar file; radius-am-8.6.0.x.0.jar and radius-am-8.6.0.x.0.jar.BAK, where .x is your patch level; 0, 1 or 2
5. copy radius-am-8.6.0.x.0.jar to three other RADIUS directories
cd /opt/rsa/am/server/servers/console/tmp/_WL_user/console-shared-library/6cyrqo/WEB-INF/lib
cp /opt/rsa/am/server/servers/biztier/tmp/_WL_user/am-app/cl8cne/APP-INF/lib/radius-am-8.6.0.1.0.jar .
cd /opt/rsa/am/server/servers/AdminServer/tmp/_WL_user/console-shared-library/8hkrcb/WEB-INF/lib
cp /opt/rsa/am/server/servers/biztier/tmp/_WL_user/am-app/cl8cne/APP-INF/lib/radius-am-8.6.0.1.0.jar .
cd /opt/rsa/am/server/servers/radiusoc/tmp/_WL_user/am-radius-app/n6rnym/APP-INF/lib
cp /opt/rsa/am/server/servers/biztier/tmp/_WL_user/am-app/cl8cne/APP-INF/lib/radius-am-8.6.0.1.0.jar .
6. make backup copy of config.xml
cd /opt/rsa/am/server/config
cp config.xml config.xml.BAK
7. edit config.xml and make change to the config.xml file and
Search for this section:
<name>AuthnRadiusServiceHttpsChannel</name>
Delete the following one lines in that section and save the file
<channel-identity-customized>true</channel-identity-customized>
Change the server_identity_key_webserver to server_identity_key for this line <custom-private-key-alias>server_identity_key_webserver</custom-private-key-alias>
Note: vi editor commands, use arrows to move up, down, left, right
i = insert mode, enter text where cursor is, backspace will delete back
<esc> to exit insert or other mode
d = delete mode, move cursor to highlight what to delete
dd = delete whole line
slash / to search or find
<esc> to get back to text
: colon means document command
;wq = write (save) and quit (exit vi)
:q! = quit (exit vi) without writing (saving) the changes.
cd /opt/rsa/am/server/config
vi config.xml
Use 'slash' / to search for string
/<name>AuthnRadiusServiceHttpsChannel</name>
then delete the line 3-4 lines below it, delete the line with '<channel-identity-customized>true</channel-identity-customized>'
Finally Change the server_identity_key_webserver to server_identity_key for this line
<custom-private-key-alias>server_identity_key_webserver</custom-private-key-alias>
then backspace to delete '_webserver' leaving only 'server_identity_key'
;wq = write (save) and quit (exit vi)
:q! = quit (exit vi) without writing (saving) the changes.
8. Delete 2 files; radius_connector.ini & securID_radius_connector.crt
cd /opt/rsa/am/radius
rm /opt/rsa/am/radius/radius_connector.ini
rm /opt/rsa/am/radius/securID_radius_connector.crt
9. restart the services
cd /opt/rsa/am/server
./rsaserv restart all
