SecurID^® Discussions

RonaldBeaulieu · ‎2016-05-05

We have 4 AM 8.1 servers. (1 Primary and 3 Replicas)

we installed agents on Windows 2008, AIX, Solaris and RH.

Using the agent tool on Windows we can see all for Am servers.

On my Unix based servers, using the acestatus command only returns the primary server ?

When we perform authentication tests, we see in the RSA console Activity monitor that its always the Primary that receives the authe requests from the agents.

We have replaced the sdconf.rec file, rebooted the server, no change.

Why is acestatus only returning the primary server.

Any help is appreciated.

Thanks 🙂

Ron

HusseinElBaz · ‎2016-05-05

Hello Ronald,

This is something normal as the agent has the primary prioritized to be the first option. So if you need to confirm whether the agents are populated with the whole contact list including replicas, then you can search for sdstatus12 file and it should include the contact list.

And you can also test the replica authentication by shutting down the services on the primary and try to authenticate from the replica.

To shutdown the services on the primary:

1) Go to CLI using PuTTy through SSH connection

2) Go to cd /opt/rsa/am/server

3) ./rsaserv stop all

4) After testing the authentication start the services again

./rsaserv start all

So kindly check and advise us back if there is any assistance needed from our side.

Best Regards,

JayGuillette · ‎2016-05-05

A variation on this is that since AM 7.1, the sdconf.rec can hold the primary and replicas, but only if you have done an Automatic Re-Balance of the AM server contact list. This action allows the agent hosts to learn about all replicas. Navigate to Security Console – Access – Authentication Agents – Auth Manager Contact List – Auto Rebalance.

In AM 6.1 this was automatic, but a customer complained that they wanted to hide some new replicas, so Engineering over-engineered by creating the Contact list, which hides all replicas until you explicitly allow agent contact to them. Behavior is same in 8.X. Once the contact list is updated, the primary will tell any agents about all replicas, or you can force the issue and download a new sdconf.rec file, which will contain all replicas. Some older Agent API do not understand this new sdconf.rec format.

deleting the sdstatus.12 file as Hussein mentioned also can help, if there is old information in it, deleting it allows you to create a new one, which will be from the primary and include all replicas.

RonaldBeaulieu · ‎2016-05-05

Hi guys,

I have no sdstatus.12 file on my agents. In the /var/ace folder which contains the sdconf.rec file, there is the sdstatus.1.

We are also using the sdopts.rec file to override automatic balancing. the file contains this information

CLIENT_IP=172.26.142.230

USESERVER=172.26.63.190,10

USESERVER=10.247.189.19,1

USESERVER=10.247.189.20,2

USESERVER=10.247.189.21,2

The server with priority 10 is a replica, priority 2 are also replicas and priority 1 is our primary.

I just generated a new sdconf.rec from the security console and pushed it to my RH server and I have the same behavior.

Any other ideas ?

I will try to stop the service on teh primary to see what happens.

Thanks

RonaldBeaulieu · ‎2016-05-05

Hi guys,

I have no sdstatus.12 file on my agents. In the /var/ace folder which

contains the sdconf.rec file, there is the sdstatus.1.

We are also using the sdopts.rec file to override automatic balancing.

the file contains this information

CLIENT_IP=172.26.142.230

USESERVER=172.26.63.190,10

USESERVER=10.247.189.19,1

USESERVER=10.247.189.20,2

USESERVER=10.247.189.21,2

The server with priority 10 is a replica, priority 2 are also replicas and

priority 1 is our primary.

I just generated a new sdconf.rec from the security console and pushed it

to my RH server and I have the same behavior.

Any other ideas ?

I will try to stop the service on teh primary to see what happens.

Thanks

Ronald Beaulieu

JayGuillette · ‎2016-05-05

sdstatus.12 is Windows, sorry, sdstatus.1 is usually Linux PAM agent, but same concept.

The sdopts.rec is the options file,

CLIENT_IP= is called the IP address override, it might be needed for the initial authentication before the node secret symetric key file called securid is created, and the IP should match the primary IP for the agent record on the AM server

the

USESERVER= with priority will work with replicas in the sdstatus.1 file to priortize, but if the replicas are not in sdstatus due to not being in the contact list, then they cannot be used, you cannot prioritize and unreachable replica (or I guess you can but it does not help)

PeterGeorge · ‎2016-05-06

Hello Ronald,

What is the version of the PAM agent?

To obtain the version number of the installed agent for PAM:

1. Change to the <PAM Agent Install Directory>\lib\<bit version> directory.

2. Type the following line:

strings pam_securid.so | grep "Agent"

This returns the version number of the installed agent.

Thanks,

Peter

RonaldBeaulieu · ‎2016-05-06

RSA Authentication Agent 7.1 for PAM

Ronald Beaulieu

PeterGeorge · ‎2016-05-06

Hello Ronald,

I need the full version, that is why I specified the how to.

Thanks,

Peter

RonaldBeaulieu · ‎2016-05-06

# strings pam_securid.so | grep "Agent"

@(#)RSA Authentication Agent 7.1 for PAM

#

SecurID® Discussions

acestatus only returns the primary server

Agents

SecurID^® Discussions