what are the sdconf.rec file contents?
It's function is to tell an agent where and how to send authentication requests.
It has two parts:
a) first section (legacy) UDP agent parameters
binary information about primary and replica RSA server list, as well as specific communication ports and timings to use for native securid UDP authentication, and additional windows agent parameters for auto registration and offline days/windows password integration. This section not readable except by RSA agent code.
b) second section TCP agent specific
plain text section containing a certificate used for TCP agents. This section readable by any text viewer
example of my lab sdconf.rec in notepad++
example of the same sdconf.rec in an RSA windows agent reading the first binary section
example on RSA server of what else is in the file that can be customized
example on the RSA server of the certificate specific info
the reason for asking this question was to check whether FQDN is also shared with ips of primary and replica.
so if domain name is changing, then we need to generate this file again on primary and deploy it on each agent machine?
in this case there will be new configuration for each agent e.g. on F5 APM and checkpoint firewall?
it will be helpful if you can clarify above points.
UDP agents: these go by IP, [and the agent is what resolves the IP to the name of the primary and replicas]
Hostname change no new sdconf.rec, IP address change yes.
But if TCP agent, then new sdconf.rec on hostname change, as you can see inside the sdconf.rec certificate section, these are based on names.
In general you should get ready and plan for sdconf.rec replacements when making major changes to the environment so if you find some 'balky agents' you can quickly replace sdconf.rec as part of troubleshooting.
can you please clarify on the terms UDP agent and TCP agent?
and can we just replace the sdconf.rec file on each agent in case of hostname change?
Typically conventional agents for example windows agents / Webagents / PAM agents is using the authentication port as UDP port 5500. For example a windows agent under typical installation is being made then there is no action to be taken on client side if the hostname change is done RSA server side.
There are other important things to consider here as well when there is hostname change such as agents that are using services such as REST which uses TCP as the protocol you have also have to consider making changes to the configuration files with the right hostname.
For example PAM agent using REST / ADFS agent 2.0 etc.
For specifics, you may need to provide us more details about what type of agents you are using in your environment and accordingly a recommendation can be made as to when a sdconf.rec file needs redistribution to the client.
Alternatively you can also open a case with us for further investigation from the below link
How to open a technical support case via the Case Management portal on RSA Link
agents being used in our architecture are: F5 APM and Checkpoint SMS.
The F5 APM can be configured as both UDP / TCP.
For checkpoint, it may not be affected as it uses UDP agent or Radius.
Hope the above helps.
Retrieving data ...