Article Number
000039961
Applies To
RSA Product Set: SecurID Access
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.6
Issue
Authentication Manager server was upgraded from version 8.5 P5 to 8.6, an attempt to register Authentication Manager to Cloud Authentication Service fails.
Unable to retrieve the certificate
Image descriptionimsTrace.log in directory
/opt/rsa/am/server/logs captures the error below.
2021-11-20 17:28:47,961, [[ACTIVE] ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'], (CASApiAdminOperationsImpl.java:253), trace.com.rsa.internal.admin.casapimgmt.impl.CASApiAdminOperationsImpl, FATAL, bharatham86.vcloud.local,,,,SSL Exception
javax.net.ssl.SSLPeerUnverifiedException: Hostname access-demo.securid.com not verified
Cause
RSA added support for adding additional domain names with AM 8.5 patch 5.
Reason behind the error from 8.5 patch 5 upgrade to 8.6 is that AM 8.5 Patch 5 has database and java code changes to support multiple domain names for Cloud Authentication Service while earlier versions did not support.
While RSA Authentication Manager is updated to 8.6 from version 8.5 patch 5, "access-demo.securid.com" URL cannot be used because database has both "securid.com, securidgov.com" values for domain names but java code supports only one value. So server reads the domain name as 'securid.com, securidgov.com' as on value instead of 2 different domain names.
Resolution
RSA Authentication Manager version 8.6 Patch 1 has a fix for this issue. Upgrade your servers to 8.6 P1 to resolve the issue.
Workaround
If you would need an immediate work-around, the following database change needs to be performed.
- Ensure that SSH access is enabled on the primary. Check this by logging on to the Operations Console and selecting Administration > Operating System Access.
- Log out of the Operations Console for the primary and all replicas.
- Open an SSH session on the Authentication Manager primary.
- Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.
Note that during Quick Setup another username may have been selected. Use that username to login.
- Run the commands in bold to capture the com.rsa.db.dba.password, shown below. On this server, the value is rSKD5bGguLGNL9uGvFWnJoxIcHJah2 but will be different in your deployment of Authentication Manager.
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter OS password>
Last login: Mon Nov 22 09:15:33 2021 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@bharatham86:~> cd /opt/rsa/am/utils
rsaadmin@bharatham86:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter Operations Console admin's name>
Please enter OC Administrator password: <enter Operations Console admin's password>
com.rsa.db.dba.password: rSKD5bGguLGNL9uGvFWnJoxIcHJah2
rsaadmin@bharatham86:/opt/rsa/am/utils> cd ../pgsql/bin
rsaadmin@bharatham86:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba: <enter the com.rsa.db.dba.password captured above>
psql.bin (9.2.4)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
- From the db# prompt, run the following UPDATE command: (If connecting to securidgov.com, update command is as mentioned in notes section)
db=# UPDATE rsa_rep.ims_config_value set value = 'securid.com' WHERE name='auth_manager.cas.authentication.domain.name';
UPDATE 1
- When done, Restart the Authentication Manager services on Primary followed by the replicas to honor the database changes above.
Notes
If connecting to securidgov.com , the UPDATE command is as follows:
UPDATE rsa_rep.ims_config_value set value = 'securidgov.com' WHERE name='auth_manager.cas.authentication.domain.name';