Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
DavidBerner
Occasional Contributor
Occasional Contributor

Upgrade experience with 8.6

Hello,

Wanted to see if anyone ran into the same issues we did with upgrading from 8.5 patch 5 to 8.6.   After upgrading to 8.6, all of our replicas are showing offline under the primary ops console for RADIUS server status.  RSA support is telling me I need to rebuild all of our replicas.  Did anyone else experience this? 

Also we ran into an issue where RADIUS authentication was failing after upgrading.  We had to use the internal RSA certificate (we were using digicert) to resolve.  

10 Replies
DavidBerner
Occasional Contributor
Occasional Contributor

Rebuilding the replica did not resolve the issue...

0 Likes
David
Frequent Contributor
Frequent Contributor

Hi David,

Replicas offline (or whatever not OK) after Primary upgrade is something normal. It will get back OK when Replicas will be at the same version level as the Primary now is.

You told about reverting to Self-Sgned certs...

I guess you should also try to revert you Replicas to use their self-signed certs, throught Operations Console > Manage Console Cert.

 

KInd Regards,

David

 

0 Likes
DavidBerner
Occasional Contributor
Occasional Contributor

The replicas are all on 8.6.  After upgrading all the replicas, they show RADIUS server status offline.  

0 Likes
David
Frequent Contributor
Frequent Contributor

And are Replicas using self-signed or external generated ones ?

David

 

0 Likes
DavidBerner
Occasional Contributor
Occasional Contributor

They were using external. We switched to the RSA internal certs because authentication was broken after we upgraded (This was a separate issue).

0 Likes
David
Frequent Contributor
Frequent Contributor

Re David,

You could consider trying to

reconfigure RADIUS on the replica server(s).
  1. Login to the Authentication Manager replica server via SSH
  2. Navigate to /opt/rsa/am/server.
  3. Stop the RADIUS service with the command ./rsaserv stop radius.
  4. Navigate to /opt/rsa/am/config.
  5. Run the command ./config.sh RadiusOCConfig.configure.  
  6. Navigate to /opt/rsa/am/server.
  7. Start the RADIUS service with the command ./rsaserv start radius.

 

Then, in the Primary Security Console, choose RADIUS > RADIUS Server and click Initiate Replication.  When done, the replication status should show as Synchronized.

PS : the above commands can also be run on the Primary instance

 

David

0 Likes
DavidBerner
Occasional Contributor
Occasional Contributor

This was already tried and did not fix it. We rebuilt one of the replicas from scratch (removing from the RSA realm) and re attaching and same issue.

0 Likes
DavidBerner
Occasional Contributor
Occasional Contributor

Issue ended up being that port 7082 was not open between the primary and replicas and between the replicas and primary.  FYI if anyone else runs into this issue, ensure port 7082 is open for the new RADIUS with 8.6

Hello David,

after upgrading from 8.5 P5 to 8.6 P3 we have a similar issue, but in our case the "RSA Server" menus in SC and OC wont load at all. They just run into a timeout:

"[STUCK] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)' has been busy for "658" seconds working on the request "Http Request Information: weblogic.servlet.internal.ServletRequestImpl@32833ecb[GET /operations-console/IMSOC_ListRadiusServers.do]
", which is more than the configured time (StuckThreadMaxTime) of "600" seconds in "server-failure-trigger"."

Interestingly this port (7082) was not mandatory before the update to 8.6 and with that, the change to FreeRADIUS and it is not documented anywhere that the importance of this port has changed now.

Thanks to your post, we now know what we most likely have to do, to fix this. So thank you very much. 🙂

I would also like to know how you found out that this port was the issue, as this thread was the only help I could find on this.

0 Likes