This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

VERIFY_ERROR and authentication failure using REST method with RSA Authentication Agent for PAM with RSA Authentication Manager 8.2 SP1 through 8.2 SP1 patch 8

Article Number

000038467

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2.1 to 8.2.1.8

Issue

This article is version-specific and relates only to RSA Authentication Manager servers running 8.2 SP1 (8.2.1) to 8.2.1.8 (8.2 SP1 patch 😎.

This workaround is provided if you are not in a position to immediately upgrade to RSA Authentication Manager 8.3 and above.

 
  • After enabling the DEBUG for the REST protocol, /var/ace/log/mfa_rest.log shows the following error:
2020-01-27 09:58:31,752 [0x7ff38b8ca8c0] INFO (../src/ConnectionHandler/ConnectionHandler.cpp:444) - The response is {"context":{"authnAttemptId":"5d14599e-7fc5-4dd7-8f2d-9b50cffb1d92","messageId":"23579bf8-e892-40fe-b0a3-ea121e889163","inResponseTo":"dd8e69e4-411d-11ea-a362-005056aadaee"}, "credentialValidationResults":[{"methodId":"SECURID","methodResponseCode":"FAIL","methodReasonCode":"VERIFY_ERROR","authnAttributes":[]}], "attemptResponseCode":"FAIL","attemptReasonCode":"VERIFY_ERROR","challengeMethods":{"challenges":[]}}
  • When Configuring Logging, and setting the Trace.log value to Verbose, the error that is shown here is in the /opt/rsa/am/server/logs/imsTrace.log:
2020-02-07 10:08:02,231, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (SecurIDHandler.java:68), trace.com.rsa.authmgr.rest.runtime.SecurIDHandler, INFO, acerest.rsalocal.com,,,,Exception while getting IP Address for the agent 'example.rsatest.local': java.net.UnknownHostException: example.rsatest.local

Cause

  • The REST code was populating the Logical Agent IP to the client IP. Because of this, if the Logical Agent IP is not provided, it resolves to some random IP in the environment.
  • The REST code after RSA Authentication Manager 8.3 and higher retrieves the client IP from the incoming authentication request and populates it in RSA Authentication Manager.

Resolution

Upgrade RSA Authentication Manager server to 8.3 or higher.

Workaround

As a workaround, try the following:
  1. Create an agent using the steps in Deploying an Authentication Agent That Uses the REST Protocol.
  2. Populate the agent with a logical IP address that the RSA Authentication Manager server can resolve.
  3. Provide the agent name to all the REST agents and update /var/ace/conf/mfa_api.properties on the client machine with that information.
  4. Users should now be able to log in to SSH using the REST mode without issue.

Notes

Also verify:
  • The RSA Authentication Agent for PAM that is installed with UDP protocol as an operation method works when the user logs in through SSH.
  • Nothing is observed in the RSA Authentication Manager authentication activity monitor during user authentication.
  • The RSA Authentication Agent 8.0.x for PAM is installed on a supported platform.
  • The RSA Authentication Agent 8.0.x for PAM is installed with REST protocol as an operation method, as shown in bold here:
# :: 0 UDP Protocol
# :: 1 SID REST Service
# :: 2 MFA REST Service
# default value is 0
OPERATION_MODE=1
Tags (79)
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 12:06 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.