This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

The RSA Authentication Manager 8.x RSA RADIUS Server Operations Console Service Stops with a FAILED State.

Article Number

000035701

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.1
Platform: Linux
O/S Version: SUSE Enterprise 11 SP3
 

Issue

The RSA RADIUS Server Operations Console FAILED on a replica instance.

The /opt/rsa/am/server/logs/radiusoc.log on the replica instance reports the following: 
####<Nov 1, 2017 9:09:00 PM MDT> <Info> <Management> <app82r> <> <Thread-11> <> <> <> <1509592140062> <BEA-141298> <Could not register with the Administration Server: java.rmi.RemoteException: [Deployer:149150]An IOException occurred while reading the input.; nested exception is:
        javax.net.ssl.SSLKeyException: Hostname verification failed: HostnameVerifier=weblogic.security.utils.SSLWLSHostnameVerifier, hostname=app82r.rsa.net.>

####<Nov 1, 2017 9:09:01 PM MDT> <Warning> <Security> <app82r> <> <Thread-10> <> <> <> <1509592141809> <BEA-090504> <Certificate chain received from app82r.rsa.net - 192.168.107.48 failed hostname verification check. Certificate contained app82p.rsa.net but check expected app82r.rsa.net>

 

Cause

The console certificate used by the replica instance did not have the correct Common Name in the certificate hence the failed hostname validation check.

Workaround

RSA Authentication Manager instances will not allow an administrator to activate a new console certificate while RSA Authentication Manager services are in a FAILED or SHUTDOWN state. The hostname validation check stops the RSA Authentication Manager services from starting, however, the hostname validation check can be disabled until the problem is fixed with a replacement console certificate with the correct Common Name for the authentication manager instance.

Steps
  1. Logon to the authentication manager instance with the rsaadmin account.
  2. Change the account privileges with the command : sudo su -
  3. Navigate to the /opt/rsa/am/server/wrapper using the command : cd /opt/rsa/am/server/wrapper
  4. Take copies of four configuration files AdminServerWrapper.conf, BiztierServerWrapper.conf, ConsoleServerWrapper.conf & RadiusOCServerWrapper.conf as we are about to make changes to these files e.g. cp AdminServerWrapper.conf AdminServerWrapper.conf.ORIG
  5. Check the existing value for the "-Dweblogic.security.SSL.ignoreHostnameVerification" parameter in the four configuration files AdminServerWrapper.conf, BiztierServerWrapper.conf, ConsoleServerWrapper.conf & RadiusOCServerWrapper.confwith the command : cat *.conf | grep ignore
Example: 
rsaadmin@app82p:/opt/rsa/am/server/wrapper> cat *.conf | grep ignore
wrapper.java.additional.8=-Dweblogic.security.SSL.ignoreHostnameVerification=false
wrapper.java.additional.47=-Dwrapper.ignore.component.failure=true
wrapper.java.additional.8=-Dweblogic.security.SSL.ignoreHostnameVerification=false
wrapper.java.additional.8=-Dweblogic.security.SSL.ignoreHostnameVerification=false
wrapper.java.additional.7=-Dweblogic.security.SSL.ignoreHostnameVerification=false
rsaadmin@app82p:/opt/rsa/am/server/wrapper>
  1. Change the "-Dweblogic.security.SSL.ignoreHostnameVerification" parameter from false to true in the four configuration files using a command like : sed -i 's/ignoreHostnameVerification=false/ignoreHostnameVerification=true/g' AdminServerWrapper.conf
NOTE: do not forget to make the change to all four files : AdminServerWrapper.conf, BiztierServerWrapper.conf, ConsoleServerWrapper.conf & RadiusOCServerWrapper.conf
  1. Check the "-Dweblogic.security.SSL.ignoreHostnameVerification" parameter has been changed successfully using the command : cat *.conf | grep ignore
Example: 
rsaadmin@app82p:/opt/rsa/am/server/wrapper> cat *.conf | grep ignore
wrapper.java.additional.8=-Dweblogic.security.SSL.ignoreHostnameVerification=true
wrapper.java.additional.47=-Dwrapper.ignore.component.failure=true
wrapper.java.additional.8=-Dweblogic.security.SSL.ignoreHostnameVerification=true
wrapper.java.additional.8=-Dweblogic.security.SSL.ignoreHostnameVerification=true
wrapper.java.additional.7=-Dweblogic.security.SSL.ignoreHostnameVerification=true
rsaadmin@app82p:/opt/rsa/am/server/wrapper>
  1. Restart the RSA Authentication Manager Services using the command : /opt/rsa/am/server/rsaserv restart all
  2. If not already done so, replace the console certificate (generate a Certificate Signing Request, submit the CSR to a CA, and request an SSL server certificate, import the SSL server certificate and active the new SSL console certificate) where the Common Name (CN) matches the fully-qualified hostname of the authentication manager instance.
  3. Stop the RSA Authentication Manager server using the command : /opt/rsa/am/server/rsaserv stop all
  4. Revert the changes in the four configuration files where the "-Dweblogic.security.SSL.ignoreHostnameVerification" parameter is false e.g. sed -i 's/ignoreHostnameVerification=true/ignoreHostnameVerification=false/g' AdminServerWrapper.conf
  5. Start the RSA Authentication Manager Services using the command : /opt/rsa/am/server/rsaserv start all
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 10:18 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.