In the documentation for update am-update-220.127.116.11.0 in says to make sure that port 8443 is open. It isn't. Is this necessary and if so, how to I open it up? Thanks --Nicholas
I've moved your question to the RSA SecurID Access space where it will be seen by the product's support engineers, other customers and partners. Please bookmark this page and use it when you have product-specific questions.
Alternatively, from the RSA Support page, click on Ask A Question on the blue navigation bar and choose Ask A Product Related Question. From there, scroll to RSA SecurID Access and click Ask A Question. That way your question will appear in the correct space.
It isn't strictly necessary -- during the latter part of the update port 7072 is shut down for a while, and the update progress is presented to your browser on port 8843. The update continues whether or not you are watching, so not having it open doesn't prevent the update from completing. You can still retrieve the update log later if you need it.
You can ask your network/firewall team to open it for you.
Access to this port 8443 is required for real-time status messages when applying Authentication Manager patches and service packsDuring a product update, the appliance opens this port in its internal firewall. The appliance closes this port when the update is complete.If an external firewall blocks this port, the browser displays an inaccessible or blank web page, but the update can successfully complete.
External firewall being referred is any firewall between the machine from which the operations console of AM is accessed to apply the update and the Authentication manager server itself.
Part of the original question has not been answered. How do you open the port. They answer 'ask you network/firewall team to open it' is not an answer. Providing the command to give on an RSA appliance would be providing the answer.
The problem is context. AM appliances have iptables as internal firewall, which you could manage manually, but your changes would be overwritten with every patch or update to AM. If a port needed to be open for AM to work, our software would make sure it was open, and in this example I believe TCP 8443 is used during new replica deployment during quick setup, so that a replica that is being deployed would automatically open TCP port 8443 during deployment, then close it later. Likewise during patching, at least back in AM 8.1, when a patch was applied AM services were shut down, so the installer created a process on TCP 8443 to run things, again the process would hav opened the iptables on the AM system being patched, and closed it when done.
So in context, making sure TCP port 8443 is open refers to any firewalls in between the Admin PC where the browser is running, and the AM servers, including the local Windows Firewall.
Unfortunately the few Knowledge Base, KB articles that give examples of issues with opening port 8443 are not available on RSA Link, so I can't point to any examples you can see. If you did open a case, you could ask the TSE to send you, but here are some details from the two KBs
17504 | Upgrading Authentication Manager 8.1 patch status/progress page is not displayed, which is a draftIssue: Upgrading Authentication Manager 8.1 patch status/progress page is not displayedCause: Because the patch application process shuts down all RSA services, a temporary service is opened by the installer on port 8443 (and the admin applying the patch is redirected from the OC to this port) so that the progress of the installation may be followed. A proxy server setting/web filter/firewall could be blocking user access to this page.
16401 | Troubleshooting Quick Setup on RSA Authentication Manager 8.x which says it is online but I cannot find it on RSA Link.
* Logon to the local console with the 'rsaadmin' account where the password prior to the quick setup is 'rsaadmin'.
Change to the super user account (root) with the command 'sudo su - root' command where the password is the same as the 'rsaadmin' account.
* Look for a listening port 8443 using the command 'netstat -ano | grep 443'.
NOTE: The Quick Setup application is deployed via port 8443 however to use the Quick Setup an administrator would use https://<IP_address>
tcp 0 0 ::1:7443 :::* LISTEN off (0.00/0/0)tcp 0 0 127.0.0.2:7443 :::* LISTEN off (0.00/0/0)tcp 0 0 127.0.0.1:7443 :::* LISTEN off (0.00/0/0)tcp 0 0 fe80::250:56ff:feb:7443 :::* LISTEN off (0.00/0/0)tcp 0 0 10.32.28.39:7443 :::* LISTEN off (0.00/0/0)tcp 0 0 ::1:8443 :::* LISTEN off (0.00/0/0)tcp 0 0 10.32.28.39:8443 :::* LISTEN off (0.00/0/0)tcp 0 0 fe80::250:56ff:feb:8443 :::* LISTEN off (0.00/0/0)tcp 0 0 127.0.0.1:8443 :::* LISTEN off (0.00/0/0)tcp 0 0 127.0.0.2:8443 :::* LISTEN off (0.00/0/0)
I have a request open now dealing with a replica failing to pass the pre checks for promotion. The response from RSA was to check that a bunch of ports were open. Seemed a strange thing to check on an RSA appliance, you'd think that the ports that need to be open would already be open. Still on that request after responding that all the mentioned ports were open.
Which precondition failed? Unless someone has reconfigured the appliance, the ports required are already open on the appliance; the pre-promotion port check, like with patches, is to test that the other host (if you are promoting for maintenance) is reachable on the needed port. If it is not, then you have a routing or firewall issue that is outside the scope of changes to the appliance.
When you promote a replica for Maintenance, that replica needs to open a TLS connection to the original Primary so that it can copy over the logs. In order to build a TLS connection, certificates are involved and ports need to be open. The replica should have some good log message to help figure this out.
Retrieving data ...