Article Number
000039845
Applies To
RSA Product Set: RSA SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.5.0
Platform: Linux
O/S Version: Suse Linux
Issue
Register Authentication Manager with Cloud Authentication Service Fails from the AM 8.5 Security Console - Setup - System, Authentication Settings,
ERROR: Failed to register to the Cloud Authentication Service
An unknown system error occurred.
===imsTrace.log===
2021-08-09 12:19:52,772, [[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'], (RetriveRootCertificate.java:178), trace.com.rsa.authmgr.integration.via.internal.client.RetriveRootCertificate, FATAL, <primary_FQDN>,,,,Exception while retrieving the root certificate.
java.lang.RuntimeException: io.netty.channel.ConnectTimeoutException: connection timed out: access.securidgov.com/20.140.188.86:80
Connection to https://access.securidgov.com from AM Primary and Embedded IDR fails with
FATAL, <primary>.qnet.com,,,,Exception while retrieving the root certificate.
Connection timed out: access.securidgov.com/20.140.188.86:80
Cause
Cloud Authentication Service, CAS connection for AM 8.x server and/or embedded IDR comes in two types:
- Original, Non-FedRamp to https://access.securid.com supported since AM 8.3 P1
- Newer, FedRamp to https://access.securidgov.com which is CAS for Govcloud sites, supported in AM 8.5 P5 and AM 8.6 P1 or later.
Both connections are essentially the same, though they have slightly different Certificate Trust chains that must be included in an internal .jks key store by Engineering in a specific patch or version of Authentication Manager.
Typical registration failure messages are somewhat clear, like this: Invalid or expired registration code
Image descriptionBut when you see
unknown system error occurredis the Security Console, and the /opt/rsa/am/server/logs/imsTrace.log shows
FATAL, <primary_FQDN>,,,,Exception while retrieving the root certificate.
java.lang.RuntimeException: io.netty.channel.ConnectTimeoutException: connection timed out: access.securidgov.com/20.140.188.86:80The first thing to check is that you have AM 8.5 patch 5.
Resolution
Authentication Manager, AM version 8.5 patch 5 readme has the following fix.
AM-42355. Added support for the FedRAMP domain name securidgov.com to the embedded identity router.
You need AM 8.5 P5 or AM 8.6 P1 or later.
Notes
This error sounds and feels like there is a proxy Server controlling access to the Internet, so you could spend time looking at Knowledge Base, KB articles 38668 or 38779, where you add proxy server Certificates to the /opt/rsa/am/server/security/trust.jks with keytool - this is in case the proxy server terminates the SSL connection from within the Corp network and build a new SSL connection to
https://access.securid.com or
https://access.securidgov.com