Why Does RSA AM Security Console Drop LDAP Connection?
I have just recently converted our RSA Authentication Manager physical appliance to a Hyper-V virtual appliance. Everything seemed to go well with the conversion. However I am now finding that the Security Console seems to drop the LDAP query ability. What this means is that I cannot get a list of assigned tokens and the users cannot authenticate - always get invalid credentials error. This can happen 30mins, 1 hour or more after the virtual appliance has been brought online (rebooted). Immediately after the root, the appliance behaves as normal and users can once more authenticate for a short period of time. I have tried issuing the following command for both the Security and Operations Consoles on the virtual appliance: rsautil manage-secrets -a recover
At the time when the Security Console loses LDAP, I am successfully able to "test connect" LDAP (both main and failover) from the operations console. This only happens on the virtual appliance. The physical appliance is completely stable. Anyone have any idea what is going on?
- Auth Manager
- Authentication Manager
- Community Thread
- Forum Thread
- RSA Authentication Manager
- RSA SecurID
- RSA SecurID Access
There is no difference between hardware and virtual versions as far as the AM software and how it connects to LDAP, so this seems to be something not directly on the AM server causing the issue. What, I don't know, but if you put imsTrace.log in verbose mode (Security Console, setup, system, logging, Trace Log: verbose) next time it happens check that log file for ldap issues, if there is a standard ldap error code it will be shown. imsOCTrace.log may be meaningful too.
The log is /opt/rsa/am/server/logs/imsTrace.log, and don't leave it in verbose mode forever as there is not a cleanup routine for this log, and if left in verbose mode for a long time (weeks) on a busy system it can start to steal drive space.
If the LDAP connection is a VIP or proxy or round-robin DNS with more than one directory server behind it, that could cause issues, as the two LDAP connections on the Operations Console (primary/failover) for each Identity Source need to be single server or IP addresses. Proxies and VIP, load balancers, round-robin can cause loss of LDAP connection when it routes/resolves to a different directory server.
Many thanks for the reply. I should have said, the version of Authentication Manager is 7.1 (SP2). So quite an old installation. I can't find the option you highlighted that leaves me thinking yu were assuming a more up to date version of the software.
I've rebuilt the server directly on Hyper-V therefore no P2V conversion in the hope that it would work. However I'm still facing the same issue(s). Not quite sure what is going on. Is there an option in AM 7.1 to enable verbose logging or is this just a feature of later versions?