SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
Article Number
000067998
Applies To
Authentication Manager Version 8.x all versions, and all agent versions
Issue
How to control and verify the Authentication Manager server contact list so that you restrict certain agents to specific AM servers; primary or replicas
Or
so that all currently available AM Servers; primary and replicas, are available for authentication
Or
so that all currently available AM Servers; primary and replicas, are available for authentication
Task
1. Manually Create new Server contact list and add specific servers to that list
2. Configure Agent Attributes to use this Server Contact list
3. Optionally 'automatically' update the default Server Contact list
4. Optionally Verify if your sdconf.rec file has all of your servers
2. Configure Agent Attributes to use this Server Contact list
3. Optionally 'automatically' update the default Server Contact list
4. Optionally Verify if your sdconf.rec file has all of your servers
Resolution
1. Manually Create new Server contact list and add specific servers to that list
In the Security Console - Access - Authentication Agents - AM Contact List - Add New
Image description
Select the specific AM servers you want in this list, then Save.
2. Configure Agent Attributes to use this Server Contact list
In the Security Console, you can edit your Agent to only use this new Server Contact list
Image description
This agent will send authentication requests to the AM server in its Server Contact list
3. Optionally 'automatically' update the default Server Contact list
Often it makes more sense to let all or most agents to find and use any and all AM servers, even after new servers have been added and older servers decommissioned and removed. Use the Automatic Rebalance option in the Security Console - Access - Authentication Agents - AM Contact List - Automaitc Rebalance
Image description
4. Optionally Verify if your sdconf.rec file has all of your servers, use NotePAd++ to edit / view your sdconf.rec file
Image description
In the Security Console - Access - Authentication Agents - AM Contact List - Add New
Image descriptionSelect the specific AM servers you want in this list, then Save.
2. Configure Agent Attributes to use this Server Contact list
In the Security Console, you can edit your Agent to only use this new Server Contact list
Image descriptionThis agent will send authentication requests to the AM server in its Server Contact list
3. Optionally 'automatically' update the default Server Contact list
Often it makes more sense to let all or most agents to find and use any and all AM servers, even after new servers have been added and older servers decommissioned and removed. Use the Automatic Rebalance option in the Security Console - Access - Authentication Agents - AM Contact List - Automaitc Rebalance
Image description4. Optionally Verify if your sdconf.rec file has all of your servers, use NotePAd++ to edit / view your sdconf.rec file
Image descriptionNotes
Even if you are using your original sdconf.rec files and your AM servers have come and gone, as long as you run Automatic Rebalance every now and again your agents will find your AM servers for authentication.
We did see a unique situation / problem that highlights how sdconf.rec works. A customer had a single primary, so the sdconf.rec and the Server contact list had one entry, with one name and one IP address. This customer had authentication working, but then changed the Primary IP address in the Operations Console. After this change, the agents no longer could find the primary, since its IP address no longer matched what the agent knew from its sdconf.rec file, and no replica could tell this agent about the change. The primary was a single point of failure.
We did see a unique situation / problem that highlights how sdconf.rec works. A customer had a single primary, so the sdconf.rec and the Server contact list had one entry, with one name and one IP address. This customer had authentication working, but then changed the Primary IP address in the Operations Console. After this change, the agents no longer could find the primary, since its IP address no longer matched what the agent knew from its sdconf.rec file, and no replica could tell this agent about the change. The primary was a single point of failure.
In this article
