Steven Spicer

Apache Web Agent on RHEL 7.6 New PIN and Next Tokencode modes

Discussion created by Steven Spicer Employee on Sep 9, 2019

With the Apache Web Agent 8.0.2 protecting Apache 2.4.x installed on RHEL 7.6 talking to AM8.4 p2, we see (at a customer) NEW PIN and Next Tokencode resulting in the error

103: Response to the New PIN Request took too long. Please try again.

when using the agent's auth page.  If the token has a pin set and is not in NTC everything works fine.  The permissions on the /var/ace directory and its contents are correct, but SElinux is set to "enforcing".  Could that be the problem?  I haven't tracked down the right people yet to get it turned off or altered to test this hypothesis. UPDATE: Their selinux guy showed me that the Apache processes were all running "unconfined" and therefore ignoring any selinux constraints.

 

And yes, I've checked out articles 000031173 and 000016606.

 

UPDATE: Ah -- they are using their own build of Apache.

Outcomes