This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

On-demand token delivery is not working after upgrading to RSA Authentication Manager 8.4

Article Number

000039319

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4 and higher.

Issue

On-demand token delivery is not working after upgrading to 8.4. The below error is prompted when testing the connection. 
Failed to send message. SSL connection not verified with peer. Please check that the certificate you imported is valid for this deployment


The /opt/rsa/am/server/logs/imsTrace.log is showing the following errors: 
2020-06-08 17:39:26,471, [SMSMessageProcessor Core Thread #4], (HTTPPlugin.java:306), trace.com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin, ERROR, prdvrsamsha01.kpmgmgmt.com,,,, Failed to send an SMS message via HTTP
javax.net.ssl.SSLPeerUnverifiedException: No certificate found in session or SSL peer not authenticated.
        at com.rsa.authmgr.internal.smsplugin.impl.SMSSecureProtocolSocketFactory.verifyHostname(SMSSecureProtocolSocketFactory.java:236)
        at com.rsa.authmgr.internal.smsplugin.impl.SMSSecureProtocolSocketFactory.createSocket(SMSSecureProtocolSocketFactory.java:198)
        at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706)
        at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1321)
        at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386)
       at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
        at com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin.executeSendMessage(HTTPPlugin.java:356)
        at com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin.sendRequest(HTTPPlugin.java:302)
        at com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin.send(HTTPPlugin.java:279)
        at com.rsa.authmgr.internal.message.processor.impl.MessageHandlerImpl.handle(MessageHandlerImpl.java:84)
        at com.rsa.authmgr.internal.message.processor.impl.MessageProcessorImpl$MessageProcessorTask.run(MessageProcessorImpl.java:493)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)


2020-06-08 17:39:26,472, [SMSMessageProcessor Core Thread #4], (HTTPPlugin.java:281), trace.com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin, ERROR, prdvrsamsha01.kpmgmgmt.com,,,,Failed to create SMS HTTP request
com.rsa.common.InvalidArgumentException: Failed to send SMS message via HTTP
        at com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin.sendRequest(HTTPPlugin.java:309)
        at com.rsa.authmgr.internal.smsplugin.impl.HTTPPlugin.send(HTTPPlugin.java:279)
        at com.rsa.authmgr.internal.message.processor.impl.MessageHandlerImpl.handle(MessageHandlerImpl.java:84)
        at com.rsa.authmgr.internal.message.processor.impl.MessageProcessorImpl$MessageProcessorTask.run(MessageProcessorImpl.java:493)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        
The ODA certificate is valid and not expired. 


 

Cause

After upgrading to RSA Authentication Manager 8.4, certificates that are at least 2048 bits are required. If the Authentication Manager is configured with LDAPS and the https plug-in to deliver ODA code, and the connection to the LDAP and SMS provider servers is configured with SSL key exchange algorithms DH (Diffie-Hellman) and DHE, the connection fails. The same solution as 000037225 since the problem also occurs to the connection to the SMS provider server.

Resolution


If the AM is running on 8.4 P2 or higher the hotfix is already available so the utility could be applied directly following the below steps:
  1. Open an SSH session on the Authentication manager server. Login as the rsaadmin user, noting that during Quick Setup another username may have been selected. If that is the case, that username to login.
  2. Go to /opt/rsa/am/utils.
  3. Run the command. 
    ./rsautil store -a add_config ims.tls.cipher_list.use_via_trust true GLOBAL BOOLEAN.

    This global variable prevents Authentication Manager 8.4 from including the TLS_DHE_RSA_WITH_AES_256_GCM_SHA_384 cipher suite in the SSL client hello.

  
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Tue FEb 26 10:36:31 2018 from 192.168.2.102
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> cd /opt/rsa/am/utils 
saadmin@am82p:/opt/rsa/am/utils> ./rsautil store -a add_config ims.tls.cipher_list.use_via_trust true GLOBAL BOOLEAN Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>
psql.bin:/tmp/f8e39a3c-a614-41e3-be96-299e670f0a73525273943558510875.sql;0108; NOTICE:  Added the new configuration parameter "ims.tls.cipher_list.use_via_trust" with the value "true"
 add_config 
---------------------

(1 row)

  If the configuration parameter "ims.tls.cipher_list.use_via_trust" is already added you can update it using the below command.  
saadmin@am82p:/opt/rsa/am/utils> ./rsautil store -a update_config ims.tls.cipher_list.use_via_trust false GLOBAL BOOLEAN
Please enter OC Administrator user name: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>
psql.bin:/tmp/e6871864-6126-47cc-af20-0c261a3bbb643013521437038491182.sql;167; NOTICE:  Added the new configuration parameter "ims.tls.cipher_list.use_via_trust" from "true" to "false" for the instance 'GLOBAL'.
 update_config 
---------------------

(1 row)

 

Notes

If you are running on 8.4, please upgrade to 8.4 P2 and follow the above or contact the RSA support to apply the hotfix on the appliances first.
Attachments
AM_8.4_SMS_HOTFIX .zip
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-02-17 02:27 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.