Article Number
000035849
Applies To
RSA Product Set: SecurID Access
Issue
After
configuring the Identity Router as a SecurID Agent the Administration Console Platform >
Authentication Manager >
Test Connection is unsuccessful. After
collecting the identity router log bundle errors similar to below are seen in /var/log/symplified/symplified.log:
2017-12-12/17:10:08.538/UTC [sidProxyScheduler-1] FATAL com.rsa.authagent.authapi.v8.logger.b[?] - {validateSignCertwithRootCert} ConfigResponse Signing Cert Validation failed Certificate verify failed!
2017-12-12/17:10:08.539/UTC [sidProxyScheduler-1] FATAL com.rsa.authagent.authapi.v8.logger.b[?] - {validateConfigResponse} ConfigResponse signing cert validation and verification failed: com.rsa.authagent.authapi.AuthAgentException: Signature Certificate Verification Failed:Certificate verify failed!
2017-12-12/17:10:08.539/UTC [sidProxyScheduler-1] FATAL com.rsa.authagent.authapi.v8.logger.b[?] - {handleConfigUpdate} ConfigurationResponse(Init) - Response validation & verification failed
2017-12-12/17:10:08.539/UTC [sidProxyScheduler-1] ERROR com.rsa.authagent.authapi.v8.logger.b[?] - Exception processing configuration data Exception processing configuration data Invalid config response from the server: Response validation & verification failed!
2017-12-12/17:10:08.539/UTC [sidProxyScheduler-1] ERROR com.rsa.nga.sidproxy.SidAuthentication[263] - Failed to verify session factory
com.rsa.authagent.authapi.AuthAgentException: com.rsa.authagent.authapi.AuthAgentException: Exception processing configuration data Exception processing configuration data Invalid config response from the server: Response validation & verification failed!
at com.rsa.authagent.authapi.AuthSessionFactory.a(AuthSessionFactory.java)
Cause
The RSA Authentication Manager root certificate published to the Identity Router is no longer being used by Authentication Manager for secure agent communications. This can occur due to certain Authentication Manager database restore scenarios.
Resolution
Update the Authentication Manager agent communications root certificate and then publish a new sdconf.rec file to the Identity Router.
Note that instructions to retrieve the root certificate vary by browser type, the instructions below are for Chrome.
- Browse to https://<YOUR_AUTH_MANAGER>:7002 and ignore the 404 error.
- Click on the three vertical dots in upper right and choose More tools > Developer tools.
- In the Tools window click the Security tab and then, from Security Overview click View certificate.
- In the Certificate popup, click the Certification Path tab and the top level root certificate
- Click the View Certificate button.
- Click the Details tab then the Copy to File button.
- Follow the wizard to save a .DER encoded certificate to a file.
- Now in the RSA Authentication Manager Security Console go to Setup > System Settings > Agents.
- Click on the link labeled To configure agents using IPV6, click here.
- In the Existing Certificate Details section click Choose File and select the just exported Authentication Manager root certificate file and then click Update.
- Now browse to Access > Authentication Agents > Generate Configuration File.
- Generate and download a new AM_Config.zip file.
- Unzip the AM_Config.zip to extract the new sdconf.rec.
- Upload the new sdconf.rec file via the SecurID Access Administration Console Platform > Authentication Manager > Connection Settings menu and click Save.
- Click Publish Changes.
The Test Connection should be successful following the Publish.
Notes
There are also Linux command line tools such as openssl and wget that can be used as an alternative to a browser for retrieving a site's SSL certificates.
