This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
Hertz
Contributor
Contributor
‎2021-05-04 02:29 PM

Connection failed Cloud Authentication Service and Authentication Manager

Jump to solution

Hello team,

I am trying in my lab to connect the Cloud Authentication Service to the Authentication Manager and i have an error.

I configured the Identity Routers on Cloud Authentication Service in the following way:

 

IR.JPG

 

I checked the logs:

 

error.JPG

My question is: do I need to add an Authentication Agents on the Authentication Manager? 

I configured these Agents on the AM:

AgentAM.JPG

where could the problem be?

Thanks a lot.

 

 

 

0 Likes
Reply
1 Solution

Accepted Solutions
HassanMehsen
Respected Contributor
Respected Contributor
In response to Hertz
‎2021-05-05 03:57 AM

Jump to solution

Sure, you need to add an authentication agent for the IDR on the authentication manager appliance.

Have you connected the cloud authentication service to the authentication manager? From the CAS interface, go to  Platform > Authentication Manager add the sdconf file along with the authentication agent name which you configured on the authentication manager and test connection from there.

Moreover, check your NTP server, i can see that the NTP server configured on your IDR is not in sync,

Im curious to know how did you configured eth0 and eth1 with the same IP address, as this should shoot an error while configuring the IDR IP settings.

 

 

View solution in original post

0 Likes
Reply
6 Replies
David
Frequent Contributor
Frequent Contributor
‎2021-05-04 02:35 PM

Jump to solution

Hi Hertz,

From the very few tests I made, it is not a good pratice to configure both interfaces in the smae L3 network (eth0 and eth1).
I even didn't know this was possible.

Take a look on that side maybe...         😊

 

Kind Regards,

David

 

0 Likes
Reply
Hertz
Contributor
Contributor
In response to David
‎2021-05-05 01:42 AM

Jump to solution

Hi David,

i read that "RSA recommends that each interface be located on a separate subnet for security reasons".

So I think it is possible to have the two interfaces on the same subnet, but from a security point of view it is not recommended.

If I try to ping from the IDR the IP of the AM replies to me, the same thing if I try to ping with the name.(am.mylab.local)

p.s. from the point of view of the Authentication Manager, in order to manage requests from the Cloud, do you need to add a new Authentication Agents? 

 

Thanks.

0 Likes
Reply
HassanMehsen
Respected Contributor
Respected Contributor
In response to Hertz
‎2021-05-05 03:57 AM

Jump to solution

Sure, you need to add an authentication agent for the IDR on the authentication manager appliance.

Have you connected the cloud authentication service to the authentication manager? From the CAS interface, go to  Platform > Authentication Manager add the sdconf file along with the authentication agent name which you configured on the authentication manager and test connection from there.

Moreover, check your NTP server, i can see that the NTP server configured on your IDR is not in sync,

Im curious to know how did you configured eth0 and eth1 with the same IP address, as this should shoot an error while configuring the IDR IP settings.

 

 

0 Likes
Reply
Hertz
Contributor
Contributor
In response to HassanMehsen
‎2021-05-05 04:38 AM

Jump to solution

Hi,

thank you very much for your reply and the help you are giving me.

1) The authentication agent for the IDR, that I need to configure on the Authenitcation Manager, does it have to be configured in a particular way? as Type how should it be defined? there is an example to be able to take inspiration?

I have only configured these at the moment:

agent.JPG

2) Correct. I tried to connect "the cloud authentication service to the authentication manager". I followed the procedure from Platform> Authentication Manager and added the sdconf file but it fails with the following error: 

test.JPG

 

I also rebuilt the IDR machine from scratch and added two addresses on the two network cards:

 

Error.JPG

 

I checked the logs and i have these errors:

2021-05-05/07:27:40.804/UTC [Thread-1151] INFO com.rsa.authagent.authapi.v8.logger.b[?] - Connection object: ServerConnection [ serviceType=CONFIG, serviceURL=http://192.168.5.201:5500/Services/ConfigService, conn=null]
2021-05-05/07:27:40.808/UTC [Thread-1151] INFO com.rsa.authagent.authapi.v8.logger.b[?] - isDNSScanEnabled:false
2021-05-05/07:27:40.809/UTC [Thread-1151] INFO com.rsa.authagent.authapi.v8.logger.b[?] - {Realmconfig.updateVersionInfoFromSdconf} Sdconf length = 2568
2021-05-05/07:27:40.809/UTC [Thread-1151] INFO com.rsa.authagent.authapi.v8.logger.b[?] - {AgentConfigHandler.initializeConfig} using server-configured connect timeout: 10
2021-05-05/07:27:40.809/UTC [Thread-1151] INFO com.rsa.authagent.authapi.v8.logger.b[?] - {AgentConfigHandler.initializeConfig} using server-configured read timeout: 30
2021-05-05/07:27:40.809/UTC [Thread-1151] INFO com.rsa.authagent.authapi.v8.logger.b[?] - {AuthSessionFactory} Invoking MessageKey Service to negotiate key
2021-05-05/07:27:40.809/UTC [Thread-1151] INFO com.rsa.authagent.authapi.v8.logger.b[?] - MaxRetry: 0 Total Servers: 1
2021-05-05/07:27:40.809/UTC [Thread-1151] INFO com.rsa.authagent.authapi.v8.logger.b[?] - MaxRetry: 0 Total Servers: 1
2021-05-05/07:27:40.810/UTC [Thread-1151] INFO com.rsa.authagent.authapi.v8.logger.b[?] - staring key negotiation. Connection: ServerConnection [ serviceType=MSGKEY, serviceURL=http://192.168.5.201:5500/Services/MessageKeyService, conn=null]
2021-05-05/07:27:40.815/UTC [Thread-1151] ERROR com.rsa.authagent.authapi.v8.logger.b[?] - Error in processing Authn request: connect exception processing key negotiation request: com.rsa.authmgr.commonagent.k: Key negotiation exchange failed. Server response was CRED_MISMATCH
2021-05-05/07:27:40.815/UTC [Thread-1151] ERROR com.rsa.authagent.authapi.v8.logger.b[?] - Error in initial AuthnReq/Rsp for serverTime.Error in processing Authn request: connect exception processing key negotiation request: com.rsa.authmgr.commonagent.k: Key negotiation exchange failed. Server response was CRED_MISMATCH
2021-05-05/07:27:40.815/UTC [Thread-1151] ERROR com.rsa.nga.sidproxy.AuthSessionFactoryManager[241] - unable to connect to the AM server
com.rsa.authagent.authapi.AuthAgentException: com.rsa.authagent.authapi.AuthAgentException: Error in initial AuthnReq/Rsp for serverTime.Error in processing Authn request: connect exception processing key negotiation request: com.rsa.authmgr.commonagent.k: Key negotiation exchange failed. Server response was CRED_MISMATCH
at com.rsa.authagent.authapi.AuthSessionFactory.a(AuthSessionFactory.java)
at com.rsa.authagent.authapi.AuthSessionFactory.getInstance(AuthSessionFactory.java)
at com.rsa.nga.sidproxy.AuthSessionFactoryManager$1.run(AuthSessionFactoryManager.java:239)
at java.lang.Thread.run(Thread.java:748)

 

i think this is the problem but i don't understand what can cause it.

p.s. when I entered the same ip in the IDR configuration for the two eths it did not return any error. 

Thanks.

 

0 Likes
Reply
Hertz
Contributor
Contributor
In response to Hertz
‎2021-05-05 05:10 AM

Jump to solution

Hi,

i give you an update: i created the agent on the AM and reimport the sdconf file and now all works fine.

Thanks a lot.

0 Likes
Reply
HassanMehsen
Respected Contributor
Respected Contributor
‎2021-05-05 06:11 AM

Jump to solution

Amazing! Glad to hear that its working fine now,

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.