This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Announcements
SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
- RSA Community
- :
- Products
- :
- SecurID
- :
- Knowledge Base
- :
- RADIUS server not found and/or RADIUS server cannot be managed after upgrade to Authentication Manag...
-
Options
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
RADIUS server not found and/or RADIUS server cannot be managed after upgrade to Authentication Manager 8.6 or 8.7
Article Number
000067997
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.6, 8.7
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.6, 8.7
Issue
- Servers in this deployment of Authentication Manager started at very early versions of this platform (including but not limited to 8.1, 8.2).
- Servers upgrades were done by following the proper upgrade path from 8.4 to 8.5 to 8.6 but without running the RSA Authentication Manager 8.6 Pre-Upgrade Check Tool.
- Now there are messages stating cannot determine status of RADIUS server after upgrade to Authentication Manager 8.6 or 8.7.
- After upgrading to Authentication Manager 8.6 and 8.7:
- From the Operations Console navigate to Deployment Configuration > RADIUS Server. See an error message that RADIUS Server not found.
- From the Security Console, navigate to RADIUS > RADIUS Clients > Manage Existing and see a message that RADIUS server cannot be managed.
- The following errors display in the logs:
Oct 29, 2022 1:34:37 PM com.rsa.authmgr.admin.tools.action.OrderedRadiusMigrationAction migrationLogError
SEVERE: Failed to Synchronize RADIUS Clients and Profiles with AM.
com.rsa.authmgr.radius.exception.RadiusSystemException: Unable to read RADIUS object -Could not create SSL Socket
SEVERE: Failed to Synchronize RADIUS Clients and Profiles with AM.
com.rsa.authmgr.radius.exception.RadiusSystemException: Unable to read RADIUS object -Could not create SSL Socket
at com.rsa.authmgr.internal.radius.sbr.xui.impl.XUIAccessImpl.read(XUIAccessImpl.java:377)
at com.rsa.authmgr.admin.tools.action.premigrate.AMMigrateSyncRadiusDataAction.execute(AMMigrateSyncRadiusDataAction.java:178)
at com.rsa.authmgr.admin.tools.AMMigrateRadiusDataCLU.execute(AMMigrateRadiusDataCLU.java:211)
at com.rsa.authmgr.admin.tools.AMMigrateRadiusDataCLU.main(AMMigrateRadiusDataCLU.java:973)
at com.rsa.authmgr.admin.tools.action.premigrate.AMMigrateSyncRadiusDataAction.execute(AMMigrateSyncRadiusDataAction.java:178)
at com.rsa.authmgr.admin.tools.AMMigrateRadiusDataCLU.execute(AMMigrateRadiusDataCLU.java:211)
at com.rsa.authmgr.admin.tools.AMMigrateRadiusDataCLU.main(AMMigrateRadiusDataCLU.java:973)
Caused by: java.lang.RuntimeException: Could not create SSL Socket
at com.rsa.authmgr.internal.radius.sbr.xui.ssl.XUISSLSocketFactory.initSSLSocket(XUISSLSocketFactory.java:102)
at com.rsa.authmgr.internal.radius.sbr.xui.ssl.XUISSLSocketFactory.createSocket(XUISSLSocketFactory.java:65)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at com.rsa.authmgr.internal.radius.sbr.xui.impl.XUIAccessImpl.read(XUIAccessImpl.java:350)
at com.rsa.authmgr.internal.radius.sbr.xui.ssl.XUISSLSocketFactory.createSocket(XUISSLSocketFactory.java:65)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at com.rsa.authmgr.internal.radius.sbr.xui.impl.XUIAccessImpl.read(XUIAccessImpl.java:350)
... 3 more
Cause
With Authentication Manager 8.5 and below, RSA used a product called Steel Belted RADIUS. From 8.6 and higher we now use FreeRADIUS. That change means that before upgrading to 8.6 you must run the RSA Authentication Manager 8.6 Pre-Upgrade Check Tool. This RSA RADIUS pre-migration script locates any RADIUS issues that need to be corrected before upgrading from RSA Authentication Manager 8.5 to RSA Authentication Manager 8.6. You must run this script before upgrading to RSA Authentication Manager 8.6.
Check the Operations Console under Maintenance > Update and Rollback. Look at the Applied Updates table. While Engineering has not determined root cause, Support has found that when upgrading from much older versions of Authentication Manager through to 8.5, 8.6 and finally to 8.7, that there are database artifacts that effect the working of the upgraded system. If your system started at a much earlier version of Authentication Manager, see the Workaround section below.
RADIUS troubleshooting tips
- SSH to your Authentication Manager 8.5 primary and navigate to /opt/rsa/am/radius. Look for a file named mmddyyyy.log, where the file name is the date you saw the error (e. g., 20221029.log). Starting from the bottom and scrolling up, look at the file for any error messages.
- Make sure that port 7072/TCP is open bi-directionally between the primary and the replica.
- In the Security Console, click RADIUS > RADIUS Servers. Click Initiate Replication.
- Manually rebuild RADIUS:
- SSH to the primary server with the rsaadmin account.
- Manually configure RADIUS with command /opt/rsa/am/config/config.sh RadiusOCConfig.configure. You will be prompted to enter the rsaadmin password to complete this task.
- Stop and start RSA Authentication Manager services
login as: rsaadmin Using keyboard-interactive authentication. Password: Last login: Thu Nov 10 16:01:46 2022 from 192.168.2.102 RSA Authentication Manager Installation Directory: /opt/rsa/am rsaadmin@am8p:~> cd /opt/rsa/am/config rsaadmin@am8p:/opt/rsa/am/config> ./config.sh RadiusOCConfig.configure rsaadmin@am8p:/opt/rsa/am/config> cd ../server rsaadmin@am8p:/opt/rsa/am/server> ./rsaserv restart all
Resolution
A customer reported that the following solution resolved the issue:
- Copy /opt/rsa/am/utils/etc/radius_migration.properties from the primary to the replica server.
- Restart Authentication Manager services.
Workaround
If you are upgrading from a much earlier version of Authentication Manager, you may run into an issue with database artifacts that can cause RADIUS or other components to no longer be manageable. Consider the following process that gives you new servers that can cleanly be upgraded to Authentication Manager 8.6 and then 8.7:
- From the Operations Console, take a backup of the current Authentication Manager primary server (Maintenance > Backup and Restore > Backup Now). Copy the backup to a different server for storage.
- Create a new replica with Authentication Manager 8.5. For continuity, create the replica with the old primary's IP address and hostname (do this on a different subnet). This would mean any RSA Authentications Agent machines would not need new sdconf.rec files.
- Promote this server to be the new primary.
- Bring this online as the primary and import your backup.
- Install all new replicas running 8.5.
- Attach new replicas to new primary.
- Delete old primary and old replicas.
- Run the RSA Authentication Manager 8.6 Pre-Upgrade Check Tool. Before continuing, resolve any issues that are listed in the report.
- Upgrade to Authentication Manager 8.6 then 8.7.
- Install new web tiers, if using.
Notes
No ratings
