SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
Article Number
000068038
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
After importing a new SMS provider certificate for ODA successfully, the test fails with the error:
Failed to send message
SSL connection not verified with peer. Please check that the certificate you imported is valid for the configured SMS provider.
Image description
Failed to send message
SSL connection not verified with peer. Please check that the certificate you imported is valid for the configured SMS provider.
Image descriptionCause
The currently used certificate by the Authentication Manager is not the same as the one imported.
Resolution
Retrieve the certificate from the Authentication Manager using the openssl command:
1. Login to the Authentication Manager primary server using any SSH client (e.g. PuTTy), then type the following command:
a. openssl s_client -connect <SMS_Provider_Base_URL>:443
2. Highlight and copy the output starting with the -----BEGIN CERTIFICATE----- until the -----END CERTIFICATE-----
3. Save it into a text editor like Notepad as <name>.cer
4. Login to the primary's Security Console
5. Navigate to Setup > System Settings > On-Demand Tokencode Delivery under Authentication Settings
6. Under the SMS Provider Configuration, click Import Certificate and import the file obtained from step 3
Image description
7. Save the changes and test again, the SMS message will be received
8. Reboot all replicas in the deployment for the change to replicate
1. Login to the Authentication Manager primary server using any SSH client (e.g. PuTTy), then type the following command:
a. openssl s_client -connect <SMS_Provider_Base_URL>:443
2. Highlight and copy the output starting with the -----BEGIN CERTIFICATE----- until the -----END CERTIFICATE-----
3. Save it into a text editor like Notepad as <name>.cer
4. Login to the primary's Security Console
5. Navigate to Setup > System Settings > On-Demand Tokencode Delivery under Authentication Settings
6. Under the SMS Provider Configuration, click Import Certificate and import the file obtained from step 3
Image description7. Save the changes and test again, the SMS message will be received
8. Reboot all replicas in the deployment for the change to replicate
Workaround
N/A
Notes
The OpenSSL utility fetches a different certificate than the Browser as s_client by default does not send SNI (Server Name Indication) data but a Browser does. The server may choose to respond with a different certificate based on the contents of that SNI. If no SNI is present, it will serve a default certificate.
To force a specific server, add the -servername <FQDN_of_the_Server> to the openssl command as follows:
openssl s_client -connect <IP_of_the_Server>:<Port> -showcerts -servername <FQDN_of_the_Server>
To force a specific server, add the -servername <FQDN_of_the_Server> to the openssl command as follows:
openssl s_client -connect <IP_of_the_Server>:<Port> -showcerts -servername <FQDN_of_the_Server>
In this article
