RSA^® Authentication Manager Documentation

This document describes known issues in RSA Authentication Manager 8.5. If a workaround or fix is available, it is noted or referenced in detail. Many of the workarounds require administrative privileges. If you do not have the required privileges, contact your administrator.

Embedded Identity Router

Identity Router Setup Console Blocked by a Certificate Error

Tracking Number: AM-38834

Problem: In the Security Console, when you click Configure Identity Router, if the browser does not trust the self-signed certificate, you might not be able to access the Identity Router Setup Console. Some browsers, such as Google Chrome, allow you to bypass the warning message and proceed.

Workaround: RSA recommends applying Patch 1 or the latest cumulative patch to resolve this issue. If you are unable to apply a patch, you can use the following workaround:

1. (Optional) You can upload a trusted certificate, for example, the certificate used by Authentication Manager, on the Company Settings page in the Cloud Administration Console. After the identity router is configured, the browser uses this certificate.
2. In the Security Console, after you click Configure Identity Router, copy the identity router URL from the pop-up page.
3. Paste the identity router URL into a new browser tab.
4. In the URL, replace the Authentication Manager Fully Qualified Hostname with the Authentication Manager IP address, and press Enter.

   You can now access the Identity Router Setup Console and configure the identity router.

   If you did not upload a trusted certificate in step 1, repeat steps 2 to 4 when you need to access the Identity Router Setup Console.

Embedded identity router cannot connect to Authentication Manager if the primary or replica instance uses a dual network interface card (NIC) configuration

Tracking Number: AM-40370

Problem: When the primary or replica instance network settings include a dual NIC, the embedded identity router is unable to connect to Authentication Manager.

Workaround: Add the following IP rule to the routing policy database (RPDB) instructing routing traffic destined to the idr-network interface to use the 'main' routing table:

ip rule add to 172.19.0.0/16 table main

If you reboot the appliance, then the IP rule must be applied again.

Apply Patch 5 to make the rule permanent.

Appliance Deployment

Leaving the hardware appliance idle on the network settings page causes timeout messages

Tracking Number: AM-38642

Problem: RSA SecurID Appliance 230 displays timeout messages when the hardware appliance is left idle on the network settings page.

Workaround: Press ENTER to continue configuring the network settings. This issue does not affect systems on which the network settings are already configured.

Do not enter network settings on the Additional Settings window for the VMware ESXi server 6.5

Tracking Number: AM-31847

Problem: When deploying the virtual appliance directly to the VMware ESXi server 6.5, you might enter network settings on the Additional Settings window, because it seems logical, instead of following the steps in the Authentication Manager documentation. The network settings are not saved, and they must be entered again.

Workaround: Only enter network settings when prompted in the virtual machine console. For instructions on deploying the VMware virtual appliance, see the Setup and Configuration Guide at https://community.rsa.com/docs/DOC-99426 or the VMware Virtual Appliance Getting Started Guide at https://community.rsa.com/docs/DOC-100115.

VMware ESXi 6.5, Patch Release ESXi650-201801001 (52236) or later is required to deploy the virtual appliance directly on the VMware ESXi Server 6.5

Tracking Number: AM-31871

Problem: During VMware virtual appliance deployment on the VMware ESXi server 6.5, the browser displays a "TypeError" message. The version of the ESXi Embedded Host Client is earlier than Patch Release ESXi650-201801001 (52236).

Workaround: You can check your ESXi Embedded Host Client version by logging on to the ESXi host with SSH, and running the following command:

"esxcli software vib get -n esx-ui"

To download VMware ESXi 6.5, Patch Release ESXi650-201801001 (52236) or later, go to https://my.vmware.com.

Blank Page or "Start" Displays After Rebooting the VMware Virtual Appliance

Tracking Number: AM-32272

Problem: After you reboot the VMware virtual appliance, a blank page or the message "Start" displays, instead of the prompt to log on to the operating system.

Workaround: Press ENTER to display the prompt.

Azure virtual appliance does not support IPv6

Tracking Number: AM-32455

Problem: RSA Authentication Manager uses a static IPv4 address. DHCP is not supported.  The IPv6 protocol is not supported for the Authentication Manager virtual appliance on Azure, because Azure requires DHCP to support the IPv6 protocol.

Workaround: If IPv6 is required, you must use a different type of appliance, for example, an on-premises VMware virtual appliance or an Amazon Web Services virtual appliance.

Cannot cancel Primary or Replica Quick Setup or defer attaching a replica instance on Amazon Web Services

Tracking Number: AM-32917

Problem: On Amazon Web Services, if you cancel Primary or Replica Quick Setup, or if you complete Replica Quick Setup and defer attaching the replica instance, you cannot access your Authentication Manager instance through the Quick Setup URL.

Workaround: Terminate the Amazon Web Services instance, and deploy the Authentication Manager instance again.

Authentication (REST-based RSA SecurID Authentication API)

The minLength and maxLength properties are not returned for SECURID and SECURID_NEXT_TOKENCODE methods

Tracking Number: AM-30791

Problem: When a user attempts authentication with the SECURID or SECURID_NEXT_TOKENCODE methods, the RSA SecurID Authentication API does not return the minLength and maxLength properties. Other methods, such as SECURID_NEWPIN and SECURID_SYSTEM_GENERATED_PIN, return numbers.

Workaround: For SECURID and SECURID_NEXT_TOKENCODE, the server should return a minimum length of 4 and a maximum length of 16.

Date and time when an authentication attempt expires shows the local time and an offset for UTC time

Tracking Number: AM-30797

Problem: The attemptExpires value, which is the date and time when a REST-based authentication attempt will expire, shows the local time for the Authentication Manager instance together with a time zone offset for UTC time. The time zone offset is expressed in hours and minutes, with +hh.mm indicating that the server is ahead of UTC time and -hh.mm indicating that the server is behind UTC time.

Workaround: By design, the Authentication API bases the attemptExpires value upon https://www.w3.org/TR/NOTE-datetime, which defines a profile for ISO-8601, the International Standard for representing dates and times.

Certain REST-based authentication failures are not logged to the Authentication Activity Monitor

Tracking Number: AM-30864

Problem: If you build and deploy authentication agents that use the Authentication API, the following authentication failures are not logged in the Authentication Activity Monitor:

• Authentication fails because an incorrect challenge method name is given.
• Authentication fails because an invalid collected input name is given.

Workaround: Configure the imsTrace.log file to display “Errors.” Do the following:

1. In the Security Console, select Setup > System Settings.
2. Click Logging.
3. Select an instance, and click Next.
4. From the Trace Log drop-down list, select Error.
5. Click Save.

After an error occurs, you can use SSH to log on to the appliance operating system. View the details in the imsTrace.log file in the /opt/rsa/am/server/logs directory.

Backup and Restore

Local backup fails after planned promotion of a replica instance.

Tracking Number: AM-30364

Problem: After promoting a replica instance to primary, attempting to make a local backup from the new primary fails, triggering the message “An error occurred while backing up the system: Failed to backup the system files.”

Workaround:

1. Log on to the appliance using an SSH client.
2. Change directories:

   cd /opt/rsa/am/utils

3. Type the following, then press ENTER to update TLS 1.2 Mode properties:

   /rsautil store -a enable_min_protocol_tlsv1_2 <setting> restart

   Where <setting> is true if you want to enforce strict TLS 1.2 Mode, or false if you do not.

Unable to Restore a Backup When the RADIUS Server is Not Synchronized

Tracking Number: AM-32328

Problem: While attempting to restore an RSA Authentication Manager instance from a backup file, the following message appears: "Failed to restore RADIUS." This issue might occur in a test environment that has continuous backup and restore operations running on the same server.

Workaround: If the RADIUS server is not synchronized or is in an unpublished state, the backup file cannot be restored. Do the following:

1. Verify that the Authentication Manager services are running, and start them if necessary:
   1. Use SSH to log on to the appliance with the User ID rsaadmin and the current operating system password.

   2. Change the directory:

      cd /opt/rsa/am/server

   3. Run the following command:

      ./rsaserv status all

   4. If you need to start the services, use the following command:

      ./rsaserv start all

   5. When you are done, run the exit command:

      exit

2. In the Operations Console on the primary instance, click Deployment Configuration > RADIUS Servers.
3. Click the RADIUS server, and select Restart Server from the context menu.
4. In the Restart RADIUS Server page, under Confirmation, select Yes, restart RADIUS server, and click Restart Server.

Connect RSA Authentication Manager to the Cloud Authentication Service

User Dashboard displays an Enable button for users who are disabled in Active Directory

Tracking Number: AM-33201

Problem: After you use the Security Console wizard or the Cloud Authentication Service Configuration page to connect Authentication Manager to the Cloud Authentication Service, the Authentication Manager User Dashboard can display Cloud Authentication Service users. If a user is disabled in Active Directory, the Cloud Authentication User Profile continues to display the Enable button, even though the user status is correctly displayed as disabled.

Workaround: The user can be enabled in Active Directory.

User Dashboard displays details for one Cloud Authentication Service user if two users have the same email ID in two different Active Directory identity sources

Tracking Number: AM-33204

Problem: After you use the Security Console wizard or the Cloud Authentication Service Configuration page to connect Authentication Manager to the Cloud Authentication Service, the Authentication Manager User Dashboard can display Cloud Authentication Service users. If two users have the same email ID in two different Active Directory identity sources, the RSA Authentication Manager User Profile can display details for both users, but the Cloud Authentication User Profile can only synchronize and provide details for one user.

Workaround: Before inviting users to authenticate to the Cloud Authentication Service, clean up your identity sources so that each email ID belongs to only one user.

If the SMTP Mail Service is not available, error messages are not displayed until every user invitation to authenticate to the Cloud Authentication Service has timed out

Tracking Number: AM-33467

Problem: When you invite users to authenticate to the Cloud Authentication Service, success, warning, and error messages are not displayed until the system has processed every invitation. If the SMTP Mail Service is not available, error messages are not displayed until each invitation has taken one minute to timeout. For example, ten invitations can take almost ten minutes to time out, but ten successful invitations result in a success message within a few seconds.

Workaround: When you configure the SMTP Mail Service, make sure to test the connection. If a large number of invitations are sent, you do not need to wait for a response. Instead, you can view the success, warning, and error messages in the system and audit logs.

An error message is not displayed if the invitation to authenticate to the Cloud Authentication Service fails for more than 500 users

Tracking Number: AM-34114

Problem: If more than 500 users are invited to authenticate to the Cloud Authentication Service and the invitation fails for all users, the Security Console displays the misleading statement “The number of users found exceeds the search results limit of 500. Change your search criteria to narrow your search.” The correct messages display if the invitation succeeds for some or all of the users.

Workaround: You can view the success, warning, and error messages in the Administration Activity Monitor.

Cloud Authentication Service User Event Monitor Does Not Display the Latest User Status

Tracking Number: AM-33789

Problem: After you use the Security Console wizard or the Cloud Authentication Service Configuration page to connect Authentication Manager to the Cloud Authentication Service, the Authentication Manager User Dashboard displays a Cloud Authentication Service User Event Monitor. You can view a user’s cloud authentication activity and event monitor messages in real time, but the most recent user status messages from an identity source are not displayed.

Workaround: The Cloud Authentication Service does not automatically update information from identity sources. Click Refresh to obtain the most recent information from the identity source.

Canceling the Cloud Authentication Service Configuration page returns you to the Settings page

Tracking Number: AM-33798

Problem: After you use the Security Console wizard or the Cloud Authentication Service Configuration page to connect Authentication Manager to the Cloud Authentication Service, you can select Edit Connection Settings on the Security Console Home page. On the Cloud Authentication Service Configuration page, if you click Cancel, you are returned to the System Settings tab on the Settings page.

Workaround: Clicking Cancel in Authentication Manager always returns you to the area in which you are making updates. To return to the Security Console Home page, click Home.

Documentation

Incorrect authentication agent version in the Help

Tracking Number: AM-38838

Problem: The Help linked to the Security Console and the Operations Console uses the wrong version number for MFA Agent for Microsoft Windows.

Workaround: RSA MFA Agent 2.0 for Microsoft Windows supports authentication to RSA Authentication Manager. The Help has been updated on RSA Link.

Administrator's Guide on the Documentation DVD should state that the embedded identity router software is not included in backup files

Tracking Number: AM-38743

Problem: The Administrator's Guide on the Documentation DVD contains incorrect information. Authentication Manager backup files do not include the embedded identity router software. In a disaster recovery situation, you would download and configure the embedded identity router again.

Workaround: The corrected Administrator's Guide is available at https://community.rsa.com/docs/DOC-113114.

Forward and back arrow buttons do not work when you open Help topics through a direct link

Tracking Number: AM-30700

Problem: After you open a Help topic through the Help on this page menu, the forward and back arrow buttons do not work. If you click Help > All Help Topics, you can use these buttons to display Help topics in the order listed in the Contents frame.

Workaround: After opening a topic through the Help on this page menu, you can search for additional topics or select additional topics through the Contents frame. Selecting a second Help topic enables the forward and back arrow buttons.

Firewall

Developer's Guide lists the unsupported  -n parameter for the manage-readonly-dbusers command-line utility

Tracking Number: AM-35891

Problem: The Developer's Guide incorrectly states that you can specify a range of IP addresses by running the manage-readonly-dbusers command-line utility with the optional -n parameter.

Workaround: To help prevent potential OpenSSL vulnerabilities, the  manage-readonly-dbusers command-line utility only allows you to specify the exact IP address of the client machine. If necessary, you can choose to manually update the firewall to allow a subnet mask.

Appliance internal firewall lists port 7050 as open for a deleted read-only database user’s IP address

Tracking Number: AM-30909

Problem: After you delete a read-only database user, port 7050 is listed as open for the deleted user’s IP address. The deleted user cannot connect with the deleted User ID. Port 7050 can accept packets from the IP address, but no credentials exist to complete the connection.

Workaround: Close port 7050 for the deleted user’s IP address. Deploy the appliance in a subnet that also has an external firewall to segregate it from the rest of the network.

Appliance internal firewall creates more than one ACCEPT rule and DROP rule for the same IP address

Tracking Number: AM-30911

Problem: The appliance has an internal firewall creates an ACCEPT rule and a DROP rule for each user’s IP address in the Authentication Manager internal database. When more than one user has the same IP address, the firewall creates multiple ACCEPT and DROP rules.

Workaround: No additional actions are necessary. The duplicate rules are successfully applied.

Localization

Localized Help Links Might Not Work in Some Browsers

Tracking Number: AM-31930

Problem: After applying an RSA Authentication Manager 8.3 or later language pack, for a language other than English, some browsers might display a "404 - Page Not Found" error message when you attempt to open the online Help through one of the consoles. The User Interface (UI) is successfully localized. In addition, each language pack includes localized PDF files.

Workaround: Use any supported browser to view the localized Help outside of the consoles. You do not need to set the browser locale.

Do the following:

1. Download the required language pack from RSA Link at https://community.rsa.com/community/products/securid/authentication-manager/downloads.
2. Extract the zip file.
3. To view the combined Help for the Operations Console and the Security Console, open \Country_Code\Help\RSA_Authentication_Manager_Help\index.html

   To view the Self-Service Console Help, open \Country_Code\Help\Self-Service_Console_Help\index.html

Promotion for Maintenance

After applying Hotfix 8.5.0.0.1 to the primary instance, promotion for maintenance does not succeed

Tracking Number: AM-41730

Problem: Hotfix 8.5.0.0.1 resolves an internal replication error that occurred in deployments that used the initial version of the RSA Authentication Manager 8.5 upgrade kit. After the hotfix is applied to the primary instance, you cannot promote a replica instance. The hotfix changes the Authentication Manager version number on the primary instance, and promotion for maintenance requires the same version number on the primary instance and the replica instance.

Workaround: To make the version numbers the same, apply any 8.5 patch to the primary instance and the replica instance.

To promote a replica instance without applying a patch, see Promote a Replica Instance for Disaster Recovery.

After promoting a replica instance to primary, attempting to promote the former primary instance back to primary status fails.

Tracking Number: AM-30394, AM-30564

Problem: Promoting a replica instance to primary succeeds, but subsequent attempts to promote the former primary instance back to primary status fail, triggering the message “Promotion was unsuccessful. Unable to extract logs from original primary.”

Workaround:

1. Log on to the appliance using an SSH client.
2. Change directories:

   cd /opt/rsa/am/utils

3. Type the following, then press ENTER to update TLS 1.2 Mode properties:

   /rsautil store -a enable_min_protocol_tlsv1_2 <setting> restart

4. Where <setting> is true if you want to enforce strict TLS 1.2 Mode, or false if you do not.

No information displayed on the primary instance Progress Monitor during a promotion for maintenance

Tracking Number: AM-30839

Problem: If you log onto the Operation Console for the replica instance and promote the replica instance, and then log onto the Operation Console for the current primary instance during the promotion, the primary instance Progress Monitor does not show any information.

Workaround: Log back or remain logged onto the Operation Console of the replica instance during the promotion to view the Progress Monitor information. When the promotion is complete, the Operation Console confirms the promotion to a primary instance with next steps.

Only the administrator running the pre-promotion check on a replica instance can see the status

Tracking Number: AM-30849

Problem: Before promoting a replica instance, you must run the pre-promotion check. Another administrator cannot view the status or results of this task in the Progress Monitor.

Workaround: This functionality is intentional. The pre-promotion check allows the administrator who is promoting the replica instance to identify and correct any issues. When the promotion for maintenance begins, any administrator can view the Progress Monitor on the replica instance that is being promoted.

Quick Setup

The first Quick Setup task on a Hyper-V virtual appliance displays a later start time than the second task

Tracking Number: AM-28393

Problem: If you select a Network Time Protocol (NTP) server for RSA Authentication Manager that the Hyper-V host machine does not use, the first Quick Setup task might display a later start time than the second Quick Setup task.

Workaround: This time display issue does not affect deployment or RSA SecurID authentication.

Quick Setup on Amazon Web Services (AWS) does not display the time and date after synchronizing to the physical hardware

Tracking Number: AM-31727

Problem: The AWS virtual appliance requires you to obtain the correct time and date by selecting an NTP server or by synchronizing with the physical hardware hosting the virtual appliance. During Quick Setup on AWS, the time and date is not displayed for the physical hardware option.

Workaround: This issue only affects Quick Setup. The correct time and date is displayed in the Operations Console.

RSA RADIUS

Cannot create IPv4 addresses for IPv6 RADIUS clients after removing IPv6 network settings

Tracking Number: AM-29485

Problem: If you disable IPv6 network settings in the Operations Console, you cannot update existing IPv6 RADIUS clients to use IPv4 addresses.

Workaround: Re-enable IPv6 network settings, update the IPv6 RADIUS clients to use IPv4 addresses, and then disable the IPv6 network settings again. Delete any IPv6 RADIUS clients that are no longer needed.

RADIUS Profile Name Cannot Exceed 200 Characters

Tracking Number: AM-32265

Problem: Entering more than 200 characters in the RADIUS Profile Name field results in a misleading "Object Not Found" error message. Entering more than 256 characters results in the message that the profile name cannot exceed 256 characters.

Workaround: Enter 200 or fewer characters in the RADIUS Profile Name field.

RSA SecurID Authenticate Tokencodes

Authentication Manager Bulk Administration (AMBA) utility does not support RSA SecurID Authenticate Tokencodes

Tracking Number: AM-30858

Problem: The RSA Authentication Manager 8.5 Bulk Administration (AMBA) utility does not support the RSA SecurID Authenticate app. For example, you cannot use the unassign or replace token commands for RSA SecurID Authenticate Tokencodes.

Workaround: Use the Security Console to manage Authenticate Tokencodes. For more information, see the Authentication Manager Help topic “RSA SecurID Authenticate Tokencodes.”

No entries for the RSA SecurID Authenticate app on the SecurID Token Statistics page

Tracking Number: AM-30915

Problem: On the SecurID Token statistics page, no information is displayed for the RSA SecurID Authenticate app.

Workaround: All custom reports that display RSA SecurID hardware and software tokens include the RSA SecurID Authenticate app, except for the “Token Expiration Report.” For more information, see “Reports” on RSA Link: https://community.rsa.com/docs/DOC-77230.

RSA Token Management Snap-in (MMC)

RSA Token Management snap-in for Active Directory does not allow administrators to edit certain properties for undistributed software tokens

Tracking Number: AM-30916

Problem: The RSA Token Management snap-in for Active Directory does not allow administrators to edit the Notes field or choose whether to require a PIN for software tokens that have not yet been distributed.

You can change other Authentication Settings, such as clearing an existing PIN, requiring a PIN change on the next logon, and disabling the token.

Workaround: Do one of the following:

• Distribute the software tokens. After the tokens are distributed, you can edit these fields with the RSA Token Management snap-in.
• Use the Security Console to manage all tokens.

Upgrading

The ISO Image for the Upgrade Kit Displays an Incorrect Version Number

Tracking Number: AM-39980

Problem: When the ISO image for the RSA Authentication Manager 8.5 upgrade kit is mounted, the incorrect version number 8.4.0 displays.

Workaround: This is the correct kit for upgrading to version 8.5. Functionality is not affected.

Internal Replication Error After Upgrading to RSA Authentication Manager 8.5

Tracking Number: AM-41940

Problem: After upgrading to RSA Authentication Manager 8.5, the Operations Console displays an internal replication error. Waiting does not resolve the issue, and there is no option to manually synchronize the replica instances. Authentication Manager is unable to replicate authentication data that was collected before the replica instances were upgraded.

Workaround: RSA provided a new RSA Authentication Manager 8.5 upgrade kit (on May 6th 2021) that resolves this issue for most customers.

If you have already upgraded with the original upgrade kit or the upgrade kit that was released in September and you experience replication issues, contact RSA Customer Support to obtain a hotfix for the primary instance.

You do not need to apply this hotfix to your replica instances.

Applying the version 8.5 upgrade through your local web browser is not supported

Tracking Number: AM-38317

Problem: The version 8.5 upgrade is too large to apply through the local web browser option.

Workaround: Configure an NFS Share, a Windows Share, or a DVD/CD as an update source.

Uploading Authentication Manager patches through your browser is slower than other options

Tracking Number: AM-36011

Problem: Using your browser as an update source for Authentication Manager version upgrades and patches causes the Upload & Apply Update window to open slowly. RSA Authentication Manager 8.3 Patch 6 or later requires additional processing for browser uploads.

Workaround: Wait for the Upload & Apply Update window to display, or configure an NFS Share, a Windows Share, or a DVD/CD as an update source.

Do not promote a version 8.2 SP1, 8.3, or 8.4 replica instance if there is a version 8.5 primary instance

Tracking Number: AM-29322

Problem: After the primary instance has been upgraded to RSA Authentication Manager 8.5, promoting a version 8.2 SP1, 8.3, or 8.4 replica instance for disaster recovery creates a second primary instance. The same issue occurs in earlier releases, for example, if you upgrade a primary instance from version 8.2 SP1 to version 8.3 and then promote a version 8.2 SP1 replica instance.

Workaround: If the Authentication Manager upgrade does not succeed, you must restore from a backup file, an Amazon Web Services snapshot, an Azure Backup or Azure snapshot, a VMware snapshot, or a Hyper-V checkpoint. Always upgrade the primary instance before upgrading the replica instances in your deployment.

Web-Tier Installer License Agreement screen includes clickable links that do not open external websites

Tracking Number: AM-30162

Problem: The Web-Tier Installer includes a License Agreement screen that allows you to click the links for external websites. The links redirect you to the top of the license agreement.

Workaround: To visit the external websites, copy each link from the License Agreement screen, and paste it into a browser.

Updating the web tier on Linux creates empty rsa-install folders in the /tmp directory

Tracking Number: AM-30868

Problem: After installing the version 8.4 web tier on Linux, any updates, such as adding a custom logo, causes the /tmp directory to have empty folders with the prefix “rsa-install.”

Workaround: In the /tmp directory, delete the empty rsa-install folders.

Misleading error message if the Windows Share Path is incorrect

Tracking Number: AM-32399

Problem: In the Operations Console, configure a Windows share as an update source. When you test the connection, if the path is incorrect or doesn't exist, the error message states "Windows share connection test failed. There was an unexpected error while mounting."

Workaround: Confirm that you entered a valid Windows share path.

You must upgrade all replica instances to version 8.5 before you connect to the Cloud Authentication Service

Tracking Number: AM-34011

Problem: Multifactor authentication methods can fail if you connect to the Cloud Authentication Service before you upgrade all existing replica instances to RSA Authentication Manager 8.5. If you connect to the Cloud before upgrading the replica instances to version 8.5, those replica instances cannot be used for Cloud authentication methods.

Workaround: Delete any replica instances that were upgraded after connecting to the Cloud. Then add new replica instances and upgrade them to version 8.5.

Miscellaneous

Identity attribute definition containing single or double quote characters is not included on the Add User page

Tracking Number: AM-38455

Problem: You can add an identity attribute definition with a name that contains single or double quote characters, such as an apostrophe, ', but the identity attribute is not included on the Add User page. Other special characters, such as %, $, and #, are supported.

Workaround: On the Add User page, single and double-quote characters are blocked to prevent the possibility of cross-site scripting or SQL-injection attacks.

Authentication Manager Cannot Connect to an Oracle Directory Server with the Default 1024-bit Certificate

Tracking Number: AM-32095

Problem: In the Operations Console, after you add an Oracle Directory Server as an identity source, the test connection fails.

Workaround:Authentication Manager requires the LDAPS protocol to use a certificate that is at least 2048 bits. You must replace the default Oracle Directory Server certificate, which is 1024 bits.

VMware virtual appliance does not include a DVD/CD drive

Tracking Number: AM-28663

Problem: The VMware virtual appliance does not include a DVD/CD drive for applying updates.

Workaround: Use the VMware vSphere Client to shut down the virtual machine and add a DVD/CD drive. For more information, see the Help topic “VMware DVD/CD or ISO Image Mounting Guidelines” on RSA Link at https://community.rsa.com/docs/DOC-77220.

In addition, you can apply Authentication Manager updates through your local browser, or you can scan for stored updates in an NFS share or a Windows shared folder.

Operations Console shows intermittent replication failure on the primary instance

Tracking Number: AM-30373

Problem: The Operations Console displays intermittent reports that replication has failed on the primary instance. Actual replication of data between instances works properly, but the replication status error interferes with all Authentication Manager functions that rely on a system health check.

Workaround: Modify objects (such as users or tokens) using the Security Console, or perform authentication to trigger replication and reset the replication status indicator.

Cannot delete a replica instance while it is being synchronized

Tracking Number: AM-31481

Problem: If you manually synchronize a replica instance with data from the primary instance, you cannot delete the replica instance while it is being synchronized.

Workaround: Wait until synchronization is complete to delete the replica instance.

Changing the User ID clears recent authentication activity from the User Dashboard

Tracking Number: AM-31701

Problem: If you change a User ID, then the User Dashboard will display the time and date of the user’s last successful authentication, but does not display other recent authentication activity. The Recent Authentication Activity component normally displays information from the past seven days.

Workaround: Use another approach to display authentication activity for the original user ID:

• View the Authentication Activity Monitor. For more information, see "Real-Time Monitoring Using Activity Monitors" on RSA Link at https://community.rsa.com/docs/DOC-77411.
• Run a report. For more information, see "Reports" on RSA Link at https://community.rsa.com/docs/DOC-77230.
• Search the Runtime Audit log, if it has been configured to record all authentication activity. For more information, see "Log Messages" on RSA Link at https://community.rsa.com/docs/DOC-77115.

Archived log files are not stored in the correct directory after upgrading RSA Authentication Manager

Tracking Number: AM-32084

Problem: After upgrading to RSA Authentication Manager 8.4, archived log files are not saved in the default /opt/rsa/am/Log_archive directory.

Workaround: You can move the archived log files from the /opt/rsa/am/server directory into the /opt/rsa/am/Log_archive directory.

To prevent this issue from occurring again, save any change on the Schedule Log Archival page or the Archive Now page. For example, change the Days Kept Online field from 100 to 101 and click Save. Repeat the procedure to change the field to the original value. For instructions, see “Archive Logs Using Schedule Log Archival” at https://community.rsa.com/docs/DOC-77401 or "Archive Logs Using Archive Now" at https://community.rsa.com/docs/DOC-77439.

Security Console message says that users were notified by e-mail but the e-mail (SMTP) server did not send any notifications

Tracking Number: AM-33526

Problem: After an administrator approves token provisioning requests, users are notified by e-mail. The Security Console can display a message that users were sent e-mail notifications, but the System Activity Monitor reports that the e-mail (SMTP) server did not notify the users.

Workaround: Before sending e-mail notifications to users, configure an e-mail (SMTP) server. For instructions, see “Configure the SMTP Mail Service” on RSA Link at https://community.rsa.com/docs/DOC-77122.

You are here