An administrator has a requirement to check the presence of TCP ports on Authentication Manager instances in a deployment in case a firewall or other device is blocking communication between the primary and replica instance(s).
This knowledge article provides a Linux shell script which can be executed on any Authentication Manager instance in a deployment to check the presence of TCP ports; for example, replication ports 7002 TCP, 1812 TCP, 1813 TCP.
The Linux shell script must be run with root privileges and requires the Operations Console username and password to read the Authentication Manager hostnames stored in the Authentication Manager database. The Linux shell script will use the Authentication Manager hostnames to perform name resolution via configured domain name server(s) and check for the presence of TCP ports on these Authentication Manager instances.
Installation
- Download and copy the attached commcheck.sh shell script into the /tmp folder on an Authentication Manager instance in the deployment. Review the following article on how to enable Secure Shell on the Appliance, if needed. Where SSH has been enabled, a secure FTP client, such as WinSCP can be used to copy the shell script into the /tmp folder.
- Change the permissions of the commcheck.sh so it can be run at the command line:
chmod 755 /tmp/commcheck.sh
Usage
- Logon to the Authentication Manger instance with the rsaadmin account, either in an SSH session or at the local console.
- Change the privileges of the rsaadmin account using the command:
sudo su -
Note that if you do not change the privileges of the rsaadmin account the following message appears:
You must be the root user to use this program; exiting...
- Go to the /tmp folder using the command:
cd /tmp
- The shell script can be executed in one of two ways, as Operations Console user credentials are required. Note that in the first example the Operations Console admin password will be displayed in clear text, while in option two it is masked.
cd /tmp
./commcheck.sh <Operations Console admin name> <Operations Console admin password>
Checking OC credentials..
OC credentials validated... redirecting to menu..
or
cd /tmp
./commcheck.sh
Checking OC credentials....missing OC credentials!
Please enter OC Administrator username: <Operations Console admin name>
Please enter OC Administrator password: <Operations Console admin password>
OC credentials validated... redirecting to menu..
- The shell script menu displays:
RSA Customer Support (Asia Pacific)
Communications Check - AM TCP ports
1) Display Authentication Manager Hostnames
2) Perform Communications Check
3) Generate a Report
9) Exit
Please select an option
Display Authentication Manager Hostnames
Option 1 will read the Authentication Manager hostnames from the Authentication Manager database and displays them on the screen.
For example:
RSA Customer Support (Asia Pacific)
Communications Check - AM TCP ports
1) Display Authentication Manager Hostnames
2) Perform Communications Check
3) Generate a Report
9) Exit
Please select an option
1
Retrieving hostnames of AM instances..
Primary is am86p.securidcsapj.local with IP address 10.0.0.226
Replica is am86r.securidcsapj.local with IP address 10.0.0.227
Done!
Press any key to continue...
Perform Communications Check
Option 2 uses the Authentication Manager hostnames to perform a name lookup using DNS and then checks for the presence of the TCP ports. For example:
RSA Customer Support (Asia Pacific)
Communications Check - AM TCP ports
1) Display Authentication Manager Hostnames
2) Perform Communications Check
3) Generate a Report
9) Exit
Please select an option
2
Communications Check..
- this Authentication Manager is am86p.securidcsapj.local using software version 8.6.0.2.0
- Primary is am86p.securidcsapj.local with IP address 10.0.0.226
Name Resolution via DNS - hostname lookup
;; connection timed out; no servers could be reached
PING am86p.securidcsapj.local (10.0.0.226) 56(84) bytes of data.
64 bytes from am86p.securidcsapj.local (10.0.0.226): icmp_seq=1 ttl=64 time=0.027 ms
64 bytes from am86p.securidcsapj.local (10.0.0.226): icmp_seq=2 ttl=64 time=0.044 ms
64 bytes from am86p.securidcsapj.local (10.0.0.226): icmp_seq=3 ttl=64 time=0.046 ms
64 bytes from am86p.securidcsapj.local (10.0.0.226): icmp_seq=4 ttl=64 time=0.038 ms
--- am86p.securidcsapj.local ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.027/0.038/0.046/0.010 ms
Name Resolution via DNS - IP address lookup
;; connection timed out; no servers could be reached
PING 10.0.0.226 (10.0.0.226) 56(84) bytes of data.
64 bytes from 10.0.0.226: icmp_seq=1 ttl=64 time=0.030 ms
64 bytes from 10.0.0.226: icmp_seq=2 ttl=64 time=0.047 ms
64 bytes from 10.0.0.226: icmp_seq=3 ttl=64 time=0.055 ms
64 bytes from 10.0.0.226: icmp_seq=4 ttl=64 time=0.035 ms
--- 10.0.0.226 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2998ms
rtt min/avg/max/mdev = 0.030/0.041/0.055/0.012 ms
TCP Port Checks
Authentication port
-------------------
am86p.securidcsapj.local authn port 5500 success
am86p.securidcsapj.local authn port 5555 success
Replication ports
-----------------
am86p.securidcsapj.local replication port 7002 success
am86p.securidcsapj.local replication port 1812 LOCAL ACCESS ONLY in 8.6.0.2.0
am86p.securidcsapj.local replication port 1813 NOT USED in 8.6.0.2.0
Adjudicator port
----------------
am86p.securidcsapj.local adjudicator port 7022 success
Console ports
------------
am86p.securidcsapj.local security console port 7004 success
am86p.securidcsapj.local operations console port 7072 success
am86p.securidcsapj.local https port 443 success
SSH port
--------
am86p.securidcsapj.local ssh port 22 success
AM Services ports
-----------------
am86p.securidcsapj.local auto-reg port 5550 success
am86p.securidcsapj.local offline auth port 5580 success
Required by Promotion feature
-----------------------------
am86p.securidcsapj.local radius configure port 7082 success
Name Resolution via DNS - hostname lookup
;; connection timed out; no servers could be reached
PING am86r.securidcsapj.local (10.0.0.227) 56(84) bytes of data.
64 bytes from am86r.securidcsapj.local (10.0.0.227): icmp_seq=1 ttl=64 time=0.637 ms
64 bytes from am86r.securidcsapj.local (10.0.0.227): icmp_seq=2 ttl=64 time=0.771 ms
64 bytes from am86r.securidcsapj.local (10.0.0.227): icmp_seq=3 ttl=64 time=0.263 ms
64 bytes from am86r.securidcsapj.local (10.0.0.227): icmp_seq=4 ttl=64 time=0.524 ms
--- am86r.securidcsapj.local ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 0.263/0.548/0.771/0.188 ms
Name Resolution via DNS - IP address lookup
;; connection timed out; no servers could be reached
PING 10.0.0.227 (10.0.0.227) 56(84) bytes of data.
64 bytes from 10.0.0.227: icmp_seq=1 ttl=64 time=0.478 ms
64 bytes from 10.0.0.227: icmp_seq=2 ttl=64 time=0.397 ms
64 bytes from 10.0.0.227: icmp_seq=3 ttl=64 time=0.415 ms
64 bytes from 10.0.0.227: icmp_seq=4 ttl=64 time=0.344 ms
--- 10.0.0.227 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.344/0.408/0.478/0.051 ms
TCP Port Checks
Authentication port
-------------------
am86r.securidcsapj.local authn port 5500 success
am86r.securidcsapj.local authn port 5555 FAILED
Replication ports
-----------------
am86r.securidcsapj.local replication port 7002 success
am86r.securidcsapj.local replication port 1812 LOCAL ACCESS ONLY in 8.6.0.2.0
am86r.securidcsapj.local replication port 1813 NOT USED in 8.6.0.2.0
Adjudicator port
----------------
am86r.securidcsapj.local adjudicator port 7022 success
Console ports
------------
am86r.securidcsapj.local security console port 7004 success
am86r.securidcsapj.local operations console port 7072 success
am86r.securidcsapj.local https port 443 success
SSH port
--------
am86r.securidcsapj.local ssh port 22 success
AM Services ports
-----------------
am86r.securidcsapj.local auto-reg port 5550 success
am86r.securidcsapj.local offline auth port 5580 success
Required by Promotion feature
-----------------------------
am86r.securidcsapj.local radius configure port 7082 success
Done!
Press any key to continue...
Generate a Report
Option 3 will generate a report and provide the user with a report name. The content of the report is the same as the display when using Option 2. For example:
RSA Customer Support (Asia Pacific)
Communications Check - AM TCP ports
1) Display Authentication Manager Hostnames
2) Perform Communications Check
3) Generate a Report
9) Exit
Please select an option
3
- please wait while a report is created.. this may take time where there are slow lookups!
..review the log file /tmp/commcheck_202204041052.log for results..
Press any key to continue...
Should a TCP port not be available then a FAILED message will be in the display output or report, as shown here:
am86p.securidcsapj.local replication port 7002 FAILED