Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
rfbruce
Contributor
Contributor

vCenter integration Problem

Jump to solution

So I would open a support case for this, but currently waiting on those above me to renew our support as they let it lapse..

Products

RSA AM 8.4 P13
vCenter 6.7 U3m

Anyway here is what I have going on. Trying to get RSA and my VMware vCenter working correctly. Both are connected to active directory via ldaps. RSA SecurID is enabled on the vCenter. I've uploaded my sdconf.rec file, had to manually make an sdopts.rec file and made a securid directory on the vCenter server. However I appear to be running into a certificate related error.

Attached is the log data from /var/log/vmware/sso/rsa_securid.log from my vCenter server concerning the problem

I did find this article which has similar errors that I'm seeing, https://community.rsa.com/t5/rsa-securid-access-knowledge/test-connection-fails-to-rsa-securid-access-authentication/ta-p/4288

RSA authentication works on my windows devices just fine. Only difference in terms of files added is that windows needed the server.cer file downloaded from RSA Authentication Manager during setup of the agent. Nslookup / ping work perfectly fine between the RSA and vCenter for the ip and hostname. 

Any ideas on how to resolve the issue?
I've followed vmware's guidance related to setup of SecurID just to clarify.

0 Likes
1 Solution

Accepted Solutions
rfbruce
Contributor
Contributor

So by going over the article https://community.rsa.com/t5/rsa-securid-access-knowledge/test-connection-fails-to-rsa-securid-access-authentication/ta-p/4288 again, this article did resolve my problem.


the RSA AM has 2 default server certificates. One is active and the backup is inactive.
Opened up the sdconf.rec file and took a look at the certificate listed there in the file. The certificate that issued the sdconf.rec certificate was the root certificate for the inactive backup server certificate.
In google chrome, opened up my RSA AM web gui. Checked the certificates for that, and the root certificate was the signer certificate for the active RSA server cert. So downloaded a DER encoded certificate of the root.
In RSA, following step 9 / 10 in the article, the exsisting certificate details was listing the root certificate for the inactive backup server cert. So updated the that certificate with the active server root certificate.
Grabbed a new sdconf.rec file, uploaded that to my vcenter and RSA authentication with securid works.

View solution in original post

0 Likes
3 Replies
HassanMehsen
Respected Contributor
Respected Contributor

Have you created an agent record in RSA for VCenter PSC?

0 Likes

I did. It's setup as a standard agent, resolve hostname and resolve ip address both work as well. Although since no login has occurred there isn't a node secret built yet.

0 Likes
rfbruce
Contributor
Contributor

So by going over the article https://community.rsa.com/t5/rsa-securid-access-knowledge/test-connection-fails-to-rsa-securid-access-authentication/ta-p/4288 again, this article did resolve my problem.


the RSA AM has 2 default server certificates. One is active and the backup is inactive.
Opened up the sdconf.rec file and took a look at the certificate listed there in the file. The certificate that issued the sdconf.rec certificate was the root certificate for the inactive backup server certificate.
In google chrome, opened up my RSA AM web gui. Checked the certificates for that, and the root certificate was the signer certificate for the active RSA server cert. So downloaded a DER encoded certificate of the root.
In RSA, following step 9 / 10 in the article, the exsisting certificate details was listing the root certificate for the inactive backup server cert. So updated the that certificate with the active server root certificate.
Grabbed a new sdconf.rec file, uploaded that to my vcenter and RSA authentication with securid works.

0 Likes