Web Server certificate verification failed with RSA Authentication Agent 8.0 for Web for Apache
2 years ago
Originally Published: 2018-01-10
Article Number
000041411
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Web
RSA Version/Condition: 8.x
Platform:  Apache Web Server
 
Issue
The following error is seen in the agent log: 
118-00-03 12:38:23 4294967295.3952.2701068096 [E] error SignatureVerifier.cpp 248 The certificate verification failed
118-00-03 12:38:23 4294967295.3952.2701068096 [V] verbose SignatureVerifier.cpp 258 Leaving validateConfiguration()

 
Cause
A certificate resides inside the sdconf.rec file that is only used for TCP based agent connection.

If, at some point, the RSA Authentication Manager server name changed after its initial deployment, that certificate doesn't change (for backward compatibility) and at that point any new TCP agent when trying to connect it finds that the Authentication Manager server has a different name other than the one in the subject name in the current certificate, thus failing.
Resolution
To fix this issue update the sdconf.rec certificate and then generate a new sdconf.rec file with the new certificate.

To get the certificate and update it

  1. On the primary Authentication Manager server, open Internet Explorer and go to https://<primary hostname >:7002.

Port 7002 is used for communication between an Authentication Manager primary and replica instances and for communication between replica instances (for replay detection).

 
  User-added image
  1. Click on the Certificate error.
  2. Choose the top certificate and click View Certificate.
  3. Click the Copy To File... button.
  4. Click Next.
  5. Click Next > again.  Be sure to leave the DER encoding format.
  6. Enter a name to save the DER-encoded root certificate.
  7. Login to the Security Console and select Setup > System Settings.  
  8. Under the heading for Authentication Settings, click Agents.  
  9. On the top left of the page click the link where it says To configure agents using IPv6, click here.
  10. Scroll down to the section on Existing Certificate Details.
  11. Click the button next to Import Certificate of the New Primary Server that is labeled Choose File
  12. A common dialog box will open.  Browse to the saved certificate, select it and click Open
  13. When done, click Update.
  14. Generate a new configuration file (sdconf.rec) for the agent by selecting Access > Authentication Agents > Generate Configuration File > Generate Config File.  
  15. Replace the existing sdconf.rec on the agent with the newly generated sdconf.rec.
Notes
This solution would apply to any TCP-based agent that uses certificates for establishing secure connections.

Related Articles

Trending Articles

Don't see what you're looking for?