This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

How to test RSA SecurID Access identity router (IDR) Secure Connector connectivity

Article Number

000035813

Applies To

RSA Product Set:  SecurID Access

Issue

Connectivity between the identity router (IDR) and its SecurID Access cloud tenant is being questioned.

Resolution

A helpful troubleshooting step is to try accessing the Secure Connector health.API URL. Do this from a browser on the same subnet as the IDR proxy interface or directly from the IDR using the wget command.

The URL is of the form <tenant id>.auth.securid.com/secure-connector-fe/health.api, where <tenant id> is the value that is initially set in the Administrator Console under My Account > Company Settings > Company Information tab > Company ID field.

The following is an example wget command from the IDR command line. The --bind-address switch should specify the IDR's proxy IP address. Connection OK is returned when successful.

See Access SSH for Identity Router Troubleshooting to access the IDR command line (Alternatively, SSH can be enabled on the IDR from its Setup page: Enable Emergency SSH😞
 
[idradmin@idr.gs00.example.com ~]$ wget --no-check-certificate --bind-address <IDR Proxy IP> https://mycompany.auth.securid.com/secure-connector-fe/health.api 
--2019-01-09 21:58:28--  https://mycompany.auth.securid.com/secure-connector-fe/health.api 
Resolving mycompany.auth.securid.com... 191.237.22.167 
Connecting to mycompany.auth.securid.com|191.237.22.167|:443... connected. 
HTTP request sent, awaiting response... 200 
Length: 13 [text/plain] 
Saving to: `health.api.1' 
100%[==========================================================>] 13          --.-K/s   in 0s 

2019-01-09 21:58:30 (2.70 MB/s) - `health.api.1' saved [13/13] 

[idradmin@idr.gs00.example.com ~]$ more health.api
Connection OK
 
The above wget command checks HTTPS (and also TCP and IP level) connectivity, from the identity router to the Current Cloud IP address only. The Cloud Authentication Service Connection IP addresses for each identity router are listed on the identity router's status page in the Cloud Administration Console.

To check connectivity to any of the Alternate Cloud IP addresses listed on the identity router's status page, use the following command instead of wget:

openssl s_client -connect <alternate-cloud-ip-address>:443

If a connection to any Current or Alternate Cloud IP connection is failing, check the TLS connection handshake by adding the -state parameter as follows:

openssl s_client -connect <cloud-ip-address>:443 -state

Cloud Authentication Service IP addresses intentionally do not respond to ICMP ECHO, so it is not possible to get a response if you ping a Cloud IP. Contact RSA Support for further troubleshooting assistance if required.

Notes

  1. Be sure to confirm that the infrastructure is:
  • Not blocking the IP associated with <tenant id>.auth.securid.com.
  • Is not filtering *.auth.securid.com or *.access.securid.com URLs.
  1. If a wget certificate WARNING indicates that the certificate was issued by a root CA other than Entrust Root Certification Authority - G2 and the IDR logs are showing the message javax.net.ssl.SSLException: Certificate not verified, then ensure that there are no transparent customer proxy devices between the IDRs and the RSA cloud components. 
  2. If a non-transparent proxy is configured for the IDR to use, then include -e use_proxy=yes -e https_proxy=<proxy hostname>:<proxy port> switches in the wget command.
  3. The auth part of the tenant hostname is auth-eu for European-hosted tenants and auth-anz for APJ hosted tenants.
  4. An alternative to the wget test is to Disconnect an Identity Router and then Connect the Identity Router to the Cloud Administration Console. Disconnecting and reconnecting an IDR fully exercises the IDR  > cloud connection. If a proxy has been introduced between the IDR and the Cloud, then this step is required to recover the connection.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-04-23 01:40 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.