This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Web Server certificate verification failed with RSA Authentication Agent 8.0 for Web for Apache

Article Number

000035905

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Web
RSA Version/Condition: 8.x
Platform:  Apache Web Server
 

Issue

The following error is seen in the agent log: 
118-00-03 12:38:23 4294967295.3952.2701068096 [E] error SignatureVerifier.cpp 248 The certificate verification failed
118-00-03 12:38:23 4294967295.3952.2701068096 [V] verbose SignatureVerifier.cpp 258 Leaving validateConfiguration()

 

Cause

A certificate resides inside the sdconf.rec file that is only used for TCP based agent connection.

If, at some point, the RSA Authentication Manager server name changed after its initial deployment, that certificate doesn't change (for backward compatibility) and at that point any new TCP agent when trying to connect it finds that the Authentication Manager server has a different name other than the one in the subject name in the current certificate, thus failing.

Resolution

To fix this issue update the sdconf.rec certificate and then generate a new sdconf.rec file with the new certificate.

To get the certificate and update it

  1. On the primary Authentication Manager server, open Internet Explorer and go to https://<primary hostname >:7002.

Port 7002 is used for communication between an Authentication Manager primary and replica instances and for communication between replica instances (for replay detection).

 
  Image descriptionImage description
  1. Click on the Certificate error.
  2. Choose the top certificate and click View Certificate.
  3. Click the Copy To File... button.
  4. Click Next.
  5. Click Next > again.  Be sure to leave the DER encoding format.
  6. Enter a name to save the DER-encoded root certificate.
  7. Login to the Security Console and select Setup > System Settings.  
  8. Under the heading for Authentication Settings, click Agents.  
  9. On the top left of the page click the link where it says To configure agents using IPv6, click here.
  10. Scroll down to the section on Existing Certificate Details.
  11. Click the button next to Import Certificate of the New Primary Server that is labeled Choose File
  12. A common dialog box will open.  Browse to the saved certificate, select it and click Open
  13. When done, click Update.
  14. Generate a new configuration file (sdconf.rec) for the agent by selecting Access > Authentication Agents > Generate Configuration File > Generate Config File.  
  15. Replace the existing sdconf.rec on the agent with the newly generated sdconf.rec.

Notes

This solution would apply to any TCP-based agent that uses certificates for establishing secure connections.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 01:45 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.