Article Number
000033954
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.1, 8.2
Platform: VMware
RSA Product/Service Type: Authentication Manager Web Tier
O/S Version: Red Hat Enterprise Linux 5 (64-bit), 6 (64-bit), Microsoft Windows Server 2008 R2 (64-bit), Windows Server 2012 (64-bit) or Windows Server 2012 R2 (64-bit)
Issue
The web tier server allows internet access to provision tokens through the Authentication Manager Self-Service Console (SSC). The web tier virtual host is an F5 Local Traffic Manager (LTM) with an internet-resolvable DNS name. The virtual host private key was exported with Java Keytool and imported into the F5 so that internet SSL connections can be terminated on the F5. The F5 uses three internal/DMZ IP addresses, referred to as secure network address translation, or SNAT addresses, in the source IP address of packets they forward to the web tiers.
We noticed a success rate of less than 100%when logging into the SSC through the web tier from an F5 Internet connection. Failures all occur as soon as the user ID is entered. No time is given to enter the passcode. The browser reloads the /IMS-AA-IDP/InitialLogonDispatch.do page and prompts for the user to log in again. Sometimes it logs the user in, but the screen does not render completely. Sometimes it renders completely, but clicking a link and backing up throws the user back to the logon screen, displaying the Self-Service Console logon with the following error:
Invalid Request
Your request cannot be processed at this time. It either has been processed or is a bad request. Return to home and try again.
Image description
The [wt_home]/server/logs/imsConsoleTrace.log on the web tier shows the following error:
com.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERROR
Caused by: com.rsa.common.SystemException: Access denied. The authentication request was routed through a
load balancer/Proxy server that is not recognized by the system.
Task
The following tasks will need to be completed:
- Add the first two SNAT IP addresses to the Virtual Host through the Operations Console, using the steps in Resolution below.
- Add the third IP address to the ..\<WebTier>\utils\resource\ssofilter.properties file by copying and pasting the second address configuration and editing it.
Resolution
To resolve this issue,
- Add the first two SNAT IP addresses for the F5, or the source IP addresses for packets from the F5 to the Web Tier in the Operations Console.
- From the Operations Console, select Deployment Configuration > Virtual Host and Load Balancing.
- Add the SNAT IP addresses to the Load Balancer Details list.
- Click Save when done.
Image description
- Be sure to update the web tier status to push these changes to the web tiers.
- From the Operations Console, select Deployment Configuration > Web Tier Deployments > Manage Existing.
- Under Status, click Update.
Image description
- Next, access your web tier, and edit the ..\Webtier\utils\resources\ssofilter.properties file. Be sure to note the path. Do not edit the ..\Webtier\pkg\ssofilter.properties file by mistake. Note that the Operations Console will reflect this addition, but you will not be able to edit and save the virtual host configuration.
- Find the following string:
-
trustedProxies=\ 66.232.235.198/32\=X-Forwarded-For 66.232.235.199/32\=X-Forwarded-For
- Add the third IP as in the example below to get the three IP addresses:
-
trustedProxies=\ 66.232.235.198/32\=X-Forwarded-For 66.232.235.199/32\=X-Forwarded-For 66.232.235.200/32\=X-Forwarded-For
Note that you will be able to see the addition in the Operations Console but will not be able to edit it.
Image description
Notes
If a range of IPs is needed like for Cloudflare CDN, here is an example of adding subnets:
trustedProxies=\ 103.21.xxx.1/32\=X-Forwarded-For 103.21.xxx.2/32\=X-Forwarded-For 103.21.xxx.3/32\=X-Forwarded-For 103.21.xxx.0/22\=X-Forwarded-For 103.22.xxx.0/22\=X-Forwarded-For 103.31.xxx.0/22\=X-Forwarded-For 104.xxx.0.0/12\=X-Forwarded-For 108.162.xxx.0/18\=X-Forwarded-For 131.0.xxx.0/22\=X-Forwarded-For
This will add those subnets:
103.21.xxx.0/22
103.22.xxx.0/22
103.31.xxx.0/22
104.xxx.0.0/12
108.162.xxx.0/18
131.0.xxx.0/22