SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
Article Number
000038228
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4 Patch 8
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4 Patch 8
Issue
After upgrading RSA Authentication Manager to 8.4 patch 8, TCP-based RSA Authentication Agents that utilize the RSA Authentication Agent SDK 8.5 and 8.6 for C can no longer authenticate.
Agent logs show errors similar to:
Performing a test authentication can display the following error:
Initialization Failed - configuration error
Image description
Agent logs show errors similar to:
error .\SignatureVerifier.cpp 165 Config response is tampered
error .\SignatureVerifier.cpp 164 Config response is tampered
verbose .\SignatureVerifier.cpp 258 Leaving SignatureVerifier::validateConfiguration()
error ..\AgentConfigHandler.cpp 135 ConfigResponse is not valid
error .\SignatureVerifier.cpp 164 Config response is tampered
verbose .\SignatureVerifier.cpp 258 Leaving SignatureVerifier::validateConfiguration()
error ..\AgentConfigHandler.cpp 135 ConfigResponse is not valid
Performing a test authentication can display the following error:
Initialization Failed - configuration error
Image description
Impacted Agents/Agent SDKs are as follows:
| Product | Mode | Impacted? |
|---|---|---|
| RSA SecurID Authentication SDK C 8.5.x/8.6.x | TCP | Yes |
| RSA SecurID Authentication SDK C 8.5.x/8.6.x | UDP | No |
| RSA SecurID Authentication SDK Java 8.5.x/8.6.x | TCP | No |
| RSA SecurID Authentication SDK Java 8.5.x/8.6.x | UDP | No |
| RSA Authentication Agent for Web | TCP | Yes |
| RSA Authentication Agent for Web | UDP | No |
Cause
An issue was introduced in RSA Authentication Manager 8.4 patch 8 that broke backward compatibility with agents that utilize RSA Authentication SDK C 8.5.x and 8.6.x in TCP mode. This was caused by an Oracle Java JDK update included in patch 8.
Resolution
Wait for RSA Authentication Manager 8.4 patch 9 update.
Workaround
As a workaround, either
- Configure RSA Authentication Agents to use UDP mode or
- Utilize the below procedure to rollback the Authentication Manager Oracle JDK.
- In RSA Authentication Manager 8.4 patch 8 the Oracle JDK 1.8_231 was installed.
- Verify the version. Patch 8 will show the output below:
cd /opt/rsa/am/appserver/jdk/bin ./java -version java version "1.8.0_231" Java(TM) SE Runtime Environment (build 1.8.0_231-b26) Java HotSpot(TM) 64-Bit Server VM (build 25.231-b26, mixed mode)
- To replace this with an older version (that is, the version which was in use when the last patch was installed which updated the Java JDK):
# As rsaadmin ... # Stop AM services cd /opt/rsa/am/server ./rsaserv stop all # Set aside the JDK from the P8 install cd /opt/rsa/am/appserver mv jdk jdk-P8 # We want to find the most recent JDK backup # (which contains the JDK in use when the most recent install that updated the JDK was performed) ls -ltr ../updates/ # This attempts to set a variable to the path of this backup file (*but please verify*) lastjdk=$(ls -tr ../updates/backup_jdk*.gz | tail -1) # Verify echo $lastjdk # Extract the backed-up JDK tar -xzf "$lastjdk" # Optional - check the version - should be earlier than "1.8.0_231" cd /opt/rsa/am/appserver/jdk/bin ./java -version # Restart services # There will be some additional messages from "sys-package-mgr" for the first restart cd /opt/rsa/am/server ./rsaserv start all
Notes
- Rolling back RSA Authentication Manager 8.4 patch 8 does not fix this issue
- TCP agents using RSA agent API 8.5 or 8.6 for Java (including the RSA SecurID Access Identity Router, RSA agents using the ReST API, and UDP agents are not affected.
In this article
