This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA SecurID® Access Discussions

Browse the SecurID Access discussion board to get product help and collaborate with other users of SecurID Access.
RobertJackson
Beginner
Beginner
‎2020-06-08 10:28 AM

Why Does RSA AM Security Console Drop LDAP Connection?

I have just recently converted our RSA Authentication Manager physical appliance to a Hyper-V virtual appliance. Everything seemed to go well with the conversion. However I am now finding that the Security Console seems to drop the LDAP query ability. What this means is that I cannot get a list of assigned tokens and the users cannot authenticate - always get invalid credentials error. This can happen 30mins, 1 hour or more after the virtual appliance has been brought online (rebooted). Immediately after the root, the appliance behaves as normal and users can once more authenticate for a short period of time. I have tried issuing the following command for both the Security and Operations Consoles on the virtual appliance: rsautil manage-secrets -a recover

 

At the time when the Security Console loses LDAP, I am successfully able to "test connect" LDAP (both main and failover) from the operations console. This only happens on the virtual appliance. The physical appliance is completely stable. Anyone have any idea what is going on?

Labels (1)
0 Likes
Reply
2 Replies
EdwardDavis
Employee
Employee
‎2020-06-09 08:08 AM

There is no difference between hardware and virtual versions as far as the AM software and how it connects to LDAP, so this seems to be something not directly on the AM server causing the issue. What, I don't know, but if you put imsTrace.log in verbose mode (Security Console, setup, system, logging, Trace Log: verbose) next time it happens check that log file for ldap issues, if there is a standard ldap error code it will be shown. imsOCTrace.log may be meaningful too.

 

The log is /opt/rsa/am/server/logs/imsTrace.log, and don't leave it in verbose mode forever as there is not a cleanup routine for this log,  and if left in verbose mode for a long time (weeks) on a busy system it can start to steal drive space.

 

If the LDAP connection is a VIP or proxy or round-robin DNS with more than one directory server behind it, that could cause issues, as the two LDAP connections on the Operations Console (primary/failover)  for each Identity Source need to be single server or IP addresses. Proxies and VIP, load balancers, round-robin can cause loss of LDAP connection when it routes/resolves to a different directory server.

Reply
RobertJackson
Beginner
Beginner
In response to EdwardDavis
‎2020-06-16 02:32 AM

Many thanks for the reply. I should have said, the version of Authentication Manager is 7.1 (SP2). So quite an old installation. I can't find the option you highlighted that leaves me thinking yu were assuming a more up to date version of the software.

 

I've rebuilt the server directly on Hyper-V therefore no P2V conversion in the hope that it would work. However I'm still facing the same issue(s). Not quite sure what is going on. Is there an option in AM 7.1 to enable verbose logging or is this just a feature of later versions?

 

Many thanks.

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.