- a1273 | How to reindex RSA ACE/Server databases
- a17946 | How to generate or push a Replica Package to one UNIX Replica at a time manually
- Instructions for rebuilding the replica table and creating a functional replica:
- a57342 | A more concise guide to updating Authentication Manager 7.1 passwords
- a51679 | AM 7.1.2- Replica Radius server Configuration Failure -debug-
- a52896 | Unable to configure Radius on Replica server
- a36043 | Authentication Manager 7.1 startup fails
- a41725 | How to synchronize RSA SecurID tokens in RSA Authentication Manager 7.1
- a48755 | How to connect to sqlplus to run a custom query or SQL query
- a50886 | Moving pre-RSA Authentication Manager 7.1 SP2 data on a UNIX platform
- a52398 | Agent does not auto-register with the RSA Authentication Manager
- a48654 | RADIUS migration from Authentication Manager 6.1 to Authentication Manager 7.1 SP2
- a41394 | Problem migrating 6.1 database to Authentication Manager 7.1
- a42841 | 7.1: Unable to promote a replica radius server to be a primary using disaster recover method
- a42294 | RSA RADIUS 7.1 replication not working after replica installation
- a45224 | RSA Authentication Manager 7.1 replica RADIUS server does not authenticate when the primary server is down
- a45223 | RSA authentication agent authenticating only to the Authentication Manager 7.1 primary
- a42378 | RADIUS authentication test with RSA RADIUS 7.1
- a42294 | RSA RADIUS 7.1 replication not working after replica installation
- a40226 | Replica Authentication Manager and Radius servers installs fail
Error: "Trigerror:tus_del.p Dependent SDToken record exists."
Also, ensure you have a backup of the ACE/Server before you make any changes to the data. One way to backup your data is to use the 'sddump' utility. Read the Administration Guide for further information on this utility.
Procedure for Microsoft Windows:
1. Click Start Menu > Settings > Control Panel
2. Click the ACE/Server icon and click the Stop button
3. Back up the ACE/Server database using:
sddump, select server database
or
back up the contents of the ace\data directory
4. Open up a Command Prompt window and enter the following command lines:
C:\> cd ace\rdbms32\bin
C:\ACE\rdbms32\bin\> _proutil ../../data/sdserv -C idxbuild all
Procedure for UNIX:
1. Change directory to the ACEPROG directory (cd /path/ace/prog)
2. Stop the Authentication engine - 'aceserver stop'
3. Stop the Database Broker - 'sdconnect stop'
4. Ensure their are no processes running - 'ps- ef | grep ace'
5. Backup the ACE/Server database:
'sddump -s'
6. From the UNIX prompt as superuser (root) assuming the PATH to the ACE directory is '/apps/SecurID':
{root} > cd /apps/SecurID/ace/rdbms/bin
{root} > ./proutil ../../data/sdserv -C idxbuild all
a17946 | How to generate or push a Replica Package to one UNIX Replica at a time manually
/.../ace/prog/sdadmin > System > Edit System Parameters > Allow Push DB Assisted Recovery ...will either be checked or unchecked. When checked, the Primary will 'deliver' the Replica Package to the Replica when both hosts are brought online. Unchecked and the admin will need to 'deliver' the Replica Package to the Replica.
The simpler, safer approach is to disable DB Push.
The process if 'Allow DB Push' is disabled:
1) Log into sdadmin
a. You must be logged in as an ACE admin
b. ‘cd /…/ace/prog’
c. ‘./sdadmin'
a. System Parameters > Edit System Parameters > Un-Check ‘Allow DB Push Assisted Recovery’
a. ‘cd /…/ace/prog’
b. ‘./aceserver stop’
c. ‘./sdconnect shutdown’
a. ‘./sdsetup –package’
d. Specify the Replica that you will generate this replica package for.
e. Optionally verify that your ‘sdrepnodes.txt’ was built correctly
i. ‘cd /…/ace/data/replica_package/license’
ii. ‘more sdrepnodes.txt’
iii. You should the name of all the Replica servers that you specified…as well as some Seq Numbers and Port Names/Numbers
6) Restart Primary Services
a. ‘cd /…/ace/prog’
b. ‘./sdconnect start’
c. ‘./aceserver start’
7) Stop the Replica Server.
a. ‘cd /…/ace/prog’
b. ‘./aceserver stop’
c. ‘./sdconnect shutdown’
a. Apply the replica package
i. ‘cd /…/ace/prog’
ii. ‘./sdsetup -apply_package pathname’
iii. ‘./sdinfo | more’1. You should see that the field ‘PRIMARY ACE SERVER’ reflects the hostname of the Primary ACE/Server.
2. You should see that the field ‘THIS SERVER’ reflects the hostname of the Replica ACE/Server.
a. ‘cd /…/ace/prog’
b. ‘./sdconnect start’
c. Open a real-time activity log on the Primary
i. Open another session to the host
ii. ‘cd /…/ace/prog’
iii. ‘./sdlogmon –t’
iv. Go back to your original session and continue with the Primary startup.
d. ‘./aceserver start’
e. We should begin to see messages in both the Primary and that particular Replica logs that the two connect.
At this time, you should be sure that your Sequence numbers are the same on both of those machines…with an ‘./sdrepmgmt list’ on both hosts.
~~~~~~~~~~~~~~~~~~~~~~~~
1) Log into sdadmin
a. You must be logged in as an ACE admin
b. ‘cd /…/ace/prog’
c. ‘./sdadmin
a. System Parameters > Edit System Parameters > Check ‘Allow DB Push Assisted Recovery’
a. ‘cd /…/ace/prog’
b. ‘./aceserver stop’
c. ‘./sdconnect shutdown’
a. ‘./sdsetup –package’ from the /…/ace/prog directory
b. Specify the Replica to generate the package for.
c. Let’s verify that your ‘sdrepnodes.txt’ was built correctly
i. ‘cd /…/ace/data/replica_package/license’
ii. ‘more sdrepnodes.txt’
iii. You should see the names of all the Replica servers that you specified…as well as some Seq Numbers and Port Names/Numbers
a. ‘cd /…/ace/prog’
b. ‘./sdconnect start’
c. Open a realtime activity log on the Primary
i. Open another session to the host
ii. ‘cd /…/ace/prog’
iii. ‘./sdlogmon –t’
iv. Go back to your original session and continue with the Primary startup.
d. ‘./aceserver start’
e. The Push will initiate…with the 1st Replica that it comes to in its list that does require a push…meaning that the Push does not start simultaneously. The Startup interval (in the output of the command ‘/…/ace/prog/sdrepmgmt list’) controls when the Replica will ‘awaken’ and establish its connection to the Primary. Once this connection occurs, the Primary will begin the DB Push to that Replica…IF that Replica appears in the sdrepnodes.txt file.
a. On the Replica(s) receiving the DB Push
i. You should notice with a ‘ps –ef | grep _ace’ command, that the ‘_aceserver_fe’ process is down. The Replica will make its connection…see that it requires a Push from the Primary…then signal itself to shutdown.
ii. ‘cd /…/ace/data’
iii. You should see a directory called replica_package…if you were to ‘cd’ into this directory, you will notice the sdserv.* files will appear and the file sizes will begin to grow. Use ‘ls –l’ or something similar to watch the file sizes. Upon completion of the push, these sdserv.* files will be copied from this current directory and straight into /…/ace/data.
iv. Your Replica will start back up and re-connect with the Primary.
a. ‘./sdrepmgmt list’ on both the Primary and the corresponding Replica should show matching sequence #’s.
----
Instructions for rebuilding the replica table and creating a functional replica:
On the primary
stop the server.
"path"/ace/prog/aceserver stop
"path"/ace/prog/sdconnect shutdown
dump the database (this is to restore the db back)
"path"/ace/prog/sddump -s
"path"/ace/prog/sddump -l
"path"/ace/prog/sdnewdb all (cleans out the db including the replica table)
answer y,n,y,n
"path"/ace/prog/sdrepmgmt add
enter the name of the primary server, then take all the defaults.
"path"/ace/prog/sdrepmgmt add
enter the name of the replica server, then take all defaults.
"path"/ace/prog/sdrepmgmt list
note the service ports and names... are they securidprop_00 and securidprop_01? Do they use 5505 and 5506? If not the services file is likely not correct on the primary. Change /etc/services and start over.
"path"/ace/prog/sdload -s -m
"path"/ace/prog/sdload -l
rm -r "path"/ace/data/replica_package
Start the primary with "path"/ace/prog/sdconnect start and "path"/ace/prog/aceserver start.
Run database administration and turn off the automatic db push:
"path"/ace/prog/sdadmin
[System]
[Edit System Parameters]
Uncheck the "Allow Push DB Assisted Recovery"
Stop the primary with "path"/ace/prog/aceserver stop and "path"/ace/prog/sdconnect shutdown.
"path"/ace/prog/sdsetup -package (specify the replica server name. This will create a "path"/ace/data/replica_package directory)
cd "path"/ace/data/replica_package
tar -cvrf my_replica_package replica_package
ftp in BIN mode the my_replica_package file to a temp directory on the replica server.
Start the primary with "path"/ace/prog/sdconnect start and "path"/ace/prog/aceserver start. Move on to the replica.
On the replica.
rm -r "path"/ace
cd to the temp directory from above.
tar -xvf my_replica_package
go into the replica_package/license directory thats created.
Run the install script from there.
/cdrom/as501061/aceserv/OS/sdsetup -replica
When the install asks for the replica package directory give the path to the replica_package directory you just untar'd, let the install complete.
Ignore all error messages that scroll by at the end of the install... as long as you are confident that all was done right. Double check what you've done.
Bring up the replica with "path"/ace/prog/sdconnect start and "path"/ace/prog/aceserver start. Test.
"path"/ace/prog/sdtestauth
------
Working directories when using the rsautil command:
Windows - cd C:\Program Files\RSA Security\RSA Authentication Manager\utils
Appliance 3.0 - cd /usr/local/RSASecurity/ RSA Authentication Manager/utils/usr/local/RSASecurity/ RSA Authentication Manager/utils/etc/systemfields.properties
ConfigUtil configure update - ../radiusoc/utils/etc/systemfields.properties
Note: Changing any one of these passwords does not change the others. Each of the Password Values and user names are independent.
Unexpected Failure in configuring Radius Server
since AM 7.1 Master and SuperAdmin Passwords are not unecoded, it is best to avoid the following special characters &()[]{}^=;!'+,`$"#<>\|, for full list of invalid characters for AM 7.1 password, please refer to below document. For other allowed special characters, you could try placing quotes "" around the password.
A) How to reset an unknown Master Password when you know the Operations Console Admin Password
1. On an RSA Appliance, SSH with the emcsrv account and the Operating System Password created during install, if on a Server skip to step 3
2. sudo su rsaadmin (enter Operating SystemPassword again)
3. (start here if AM 7.1 not Appliance) cd to “RSA_AM_HOME”/utils
4. rsautil manage-secrets -u <Operations console Admin User> -p <Operations Console Password> -a change –N <new master password>
2. sudo su rsaadmin (enter Operating SystemPassword again)
3. (start here if AM 7.1 not Appliance) cd to “RSA_AM_HOME”/utils
4. rsautil manage-secrets -u <Operations console Admin User> -p <Operations Console Password> -a change –N <new master password>
for example: rsautil manage-secrets -u RSAAdmin -p P@ssw0rd! -a change –N P@ssw0rd!
6. Operations Console Password and MasterPassword can be the same - Note, in this example the Operations Console Admin user name is CASE SENSITIVEIf you know the current Master Password, and want to change it, you can use
rsautil manage-secrets --a change -n new_password
Master Password: <Current Master Password>B) If you have RADIUS you must update the RADIUS MASTER PASSWORD after changing the Master Password
change directories to RSA_AM_HOME/config/.
configUtil configure util-config updateAdmin -R master.password=new_master_password -R superadmin.username=new_superadmin_username -R superadmin.password=new_super_admin_password
new_master_password is the new master password.
new_super_admin_user_name is the new Super Admin user name
C) You must reload all Operations Console Admins 1x a time after changing the Master Password
./rsautil manage-oc-administrators -a reload
SuperAdmin: <name of Ops console Admin>SuperAdmin Password: <Ops console Admin password>
===============================================================================================
In this example the Admin will be called “tempAdmin”. You do this from the Operating System, so cd to “RSA_AM_HOME”/utils
either C:\Program files\RSA Security\RSA Authentication Manager\utils in Windows
or /usr/local/RSASecurity/ RSA Authentication Manager/utils in Linux
a. Rsautil restore-admin –u tempAdmin –p <Temp Password for tempAdmin>
b. Enter Master Password: Note: if this fails we need to reset Master Password, see A)
c. A tempory admin will be created with user ID ‘tempAdmin’
d. Are you sure you want to continue (Y/N) Y
e. Admin created successfully
Login to Security console (within 24 hours or this account will be expired) then Navigate to Identity -> Users -> Manage Existing. Search for your admin to Security console who needs their password reset, from context menu select Edit, change Password and Save.===============================================================================================
E) How to Change the password for the admin who logs on to the Operations Console
rsautil manage-oc-administrators -a list
Note: the Operations Console Admin user name is CASE SENSITIVE list Admin names to check exact spelling
rsautil manage-oc-administrator -a update
Super Administrator's name: tempAdmin
Super Administrator's password: ************
Enter User Name: admin
Enter User Password: ************
Confirm User Password: ************
User 'admin' updated successfully Or if you need to create a new Operations Console Admin use rsautil manage-oc-administrators -a create and follow the same prompts
Note: Takes up to 15 minutes to replicate the systemfields.properties file OOB. If OOB does not push OC Admin Password to Replica, you may need to Detach and Re-attach
https://knowledge.rsasecurity.com/docs/rsa_securid/rsa_auth_mgr/71sp4p2/auth_manager_SP4_p2_readme.pdf
For other allowed special characters, you may need to put "quotes" around your password, especially in Linux, to prevent the Command line from trying to interpret your password special characters.
RSA Authentication Manager 7.1 Servers have two main login accounts and three main passwords:
1. The Super Admin account is used to login to the RSA Security Console on port 7004. This account is stored in the Internal Database
2. The Operations Console Admin account is used to login to the Operations Console on port 7072. This account is store in a system file
3. The Master Password, is used at the command prompt with the rsautil command
An RSA Appliance has these same two accounts and three Passwords, and has an operating system account called emcsrv
When you setup an AM 7.1 Server or Appliance 3.0, you are asked to provide a Super Admin Account and Password. You are creating these two accounts and three passwords from that one Super Admin account and Password.
1. The Super Admin account is replicated to all Replicas through In-Band Replication
2. The Operations Console Admin account is replicated to all Replicas through Out Of Band, OOB Replication
3. The Master Password is not replicated, if you change it on the Primary, you must change it on the Replicas to keep it in synch
a. When you change or reset the Master Password, you must also reset the Radius Master Password and update the Operations Console
If you know at least one of these Accounts or Passwords, you can reset or recover the other two. KB Solution a57342 details the instructions
1. You can create a temporary Super Admin account to gain access to the Security Console if you know the Master Password - Fix D) above
2. You can manage Operations Console Admin accounts if you know a Super Admin user and password - Fix E) above
3. You can reset the Master Password if you know an Operations Console Admin Account user and password - Fix A) above
Reset the Radius Master Password if you have RADIUS - Fix B) and update the Operations Console - Fix C) above
reveal radius shared secret reveal radius secret debug radius secret
Caused by: com.rsa.installfwrk.common.command.exception.CommandException: RemoteCommand: Unable to initialize IMSCommandProxy
com.rsa.installfwrk.config.exception.ConfigurationException: Configuration Failed at com.rsa.installfwrk.config.ConfigUtil.main(ConfigUtil.java:38)
Caused by: com.rsa.installfwrk.config.exception.ConfigurationException: Failed configuration command execution
In some cases, when configuring the replica Radius server you will get the following:
Successfully configured RADIUS server
RADIUS Server Properties
Name: yourserver.FQDN
Type:
Status:
Note: The TYPE and STATUS will be blank where are in a successful configuration you will see the actual TYPE and STATUS of the radius server you configured.
Check the RSA_HOME/install/logs/config/ConfigureRadiusTrace.log the following exception:
ERROR - Failed configuration command execution
com.rsa.installfwrk.config.exception.ConfigurationException: Failed configuration command execution
at com.rsa.installfwrk.config.ConfigEngine.execute(ConfigEngine.java:223)
at com.rsa.installfwrk.config.ConfigUtil.runConfig(ConfigUtil.java:53)
......
at weblogic.rmi.internal.BasicServerRef$BasicExecuteRequest.run(BasicServerRef.java:1016)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
at weblogic.work.ExecuteThread.run(ExecuteThread
com.rsa.installfwrk.config.exception.ConfigurationException: Failed configuration command execution
at com.rsa.installfwrk.config.ConfigEngine.execute(ConfigEngine.java:223)
at com.rsa.installfwrk.config.ConfigUtil.runConfig(ConfigUtil.java:53)
......
at weblogic.rmi.internal.BasicServerRef$BasicExecuteRequest.run(BasicServerRef.java:1016)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
at weblogic.work.ExecuteThread.run(ExecuteThread
There are 1 nested errors: weblogic.management.configuration.ConfigurationException: D:\Program Files\RSA Security\RSA Authentication Manager\radiusoc\config\config.xml not found
<Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN> [Mon Apr 16 18:10:53 2012] [I] [ExitHandler] Fire (-1)
<Server state changed to FAILED>
You will need a debug utility to read the actual replication secret used when the Primary Radius server was configured. Call RSA Customer Support at 800-995-5095 to get the Debug utilities.
- Copy the "debug" folder in the RSA_HOME/config directory.
- On the Primary server, from a command line cd to the RSA_HOME/config directory and run the following command
For Windows: configutil configure debug rsa.radius.server.secret
For Unix/Linux: ./configUtil.sh configure debug rsa.radius.server.secret (Note: make sure that the proper permissions are set on the debug folder)
The outcome will finish with the following:
rsa.radius.server.secret=[rsa123]
Configuration complete
Exiting...
Exiting...
The replication secret used to configure the Primary Radius server is [rsa123] without the brackets. Use the replication secret from the debug output to configure the replica Radius server.
From CMD prompt, cd RSA_HOME
cd utils
rsautil manage-secrets -a recover
Master Password:
cd ..\radiusoc\utils
rsautil manage-secrets -a recover
Radius Master Password: (should be same as Master Password. We might even hit a problem with special characters.)
Next Rebalance Agent Hosts, if that does not fix,
Next try debug from Cause above Last try Risky fix before re-install SP4:
a42984
From a Command prompt
1. cd RSA_Home\config
2. configutil unconfigure radius
3. <confirm that RSA RADIUS OC service is no longer in Windows Services>
4. configutil configure radius
5. <wait - until RSA RADIUS OC Service shows in Services>
6. May not need to do the rest of this:
7. Mark/Select the output from configure radius command, paste into Wordpad, search for RADIUS OS user
8. The line will look something like this: RADIUS OS user RadiusQwFKXOva has password y9Ml13jahi-$$,
a. carefully select and copy the 14 character password, including any commas, e.g. y9Ml13jahi-$$,
b. Got to Windows Computer Management - Users, find Radius User, e.g. RadiusQwFKXOva, and Click set Password. Paste in y9Ml13jahi-$$,
9. Try Operations Console - RADIUS - Manage Existing. If none, try RADIUS - Configure Server
If this does not work, un-install and re-install AM 7.1 SP4 and patches
C:\Program Files\RSA Security\RSA Authentication Manager\imsoc\logs\ops-console.log
@@@2010-11-14 09:00:19,526 ERROR [[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] GUILog.traceException(587) | exception: javax.naming.NameNotFoundException: Unable to resolve 'ejb.CommandServerSSLClientAuth'. Resolved 'ejb' [Root exception is javax.naming.NameNotFoundException: Unable to resolve 'ejb.CommandServerSSLClientAuth'. Resolved 'ejb']; remaining name 'CommandServerSSLClientAuth' at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:217)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:338)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:252)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:338)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:252)
login as: emcsrv
emcsrv@cs-appliance3-05.na.rsa.net's password: <enter OS user password>
Last login: Thu Jun 14 14:13:58 2012 from 10.100.41.49
-bash-3.00$ sudo su - rsaadmin
Password: <enter OS user password>
-bash-3.00$ cd /usr/local/RSASecurity/RSAAuthenticationManager/server
-bash-3.00$ ./rsaam stop radiusoc
RSA RADIUS Operations Console: [ OK ]
-bash-3.00$ ./rsaam start radiusoc
RSA RADIUS Operations Console:/usr/bin/nohup: appending output to `nohup.out'
[ OK ]
-bash-3.00$
C:\> cd C:\Program Files\RSA Security\RSA Authentication Manager\server
C:\> rsaam stop radiusoc
RSA RADIUS Operations Console: [ OK ]
C:\> rsaam start radiusoc
RSA RADIUS Operations Console:/usr/bin/nohup: appending output to `nohup.out'
[ OK ]
C:>
at com.rsa.ims.security.keymanager.sys.PropertiesLoader.a(PropertiesLoader.java:72)
at com.rsa.ims.security.keymanager.sys.PropertiesLoader.loadFields(PropertiesLoader.java:201)
RSA Authentication Manager is designed to allow for hardware alterations and this simply requires the administrator to reset the encrypted file store.
Restore the system fingerprint by stopping the RSA Authentication Manager Server (rsaam stop) then running rsautil manage-secrets -a recover command from the utils directory. For example:
Linux:
# ./rsautil manage-secrets -a recover
Enter Master Password:********
Machine fingerprint restored successfully.
#
Appliance:
SSH with emcsrv user
password: <OS Password>
sudo su -
password: <OS Password>
# ./rsautil manage-secrets -a recover
Enter Master Password:********
Machine fingerprint restored successfully.
#
Windows:
C:\Program Files\RSA Security\RSA Authentication Manager\server\utils> rsautils manage-secrets -a recover
Enter Master Password:********
Machine fingerprint restored successfully.
C:\Program Files\RSA Security\RSA Authentication Manager\server\utils> rsautils manage-secrets -a recover
You should then be able to start the server although a complete server restart is most appropriate to ensure a smooth startup of all services.
----------------
If system clock drift is an issue, see the following solutions first:
- solution a49766 on how to start the NTP service automatically when the Appliance is rebooted
- solution a44785 on how to change or set the date, time, time zone, or NTP server settings on an RSA SecurID Appliance after it has been set up
To synchronize all tokens in RSA Authentication Manager 7.1: 1.
- (Appliances only) Do the following:a. Connect to the Appliance using the console or an SSH client. (For remote access using an SSH client, verify in the RSA Operations Console that the Appliance is enabled for SSH connectivity.)
b. Log on using the emcsrv account and the Operating System password.
c. Switch users to root. Run:
sudo su
When prompted, enter the Operating System password.
d. Switch users to rsaadmin. Run:
su rsaadmin
e. Set the current directory to the folder that contains the RSA utilities. Run:
cd /usr/local/RSASecurity/RSAAuthenticationManager/utils
f. Set the environmental variables. Run:
. ./rsaenv
Note: This command begins with a period, space, period, and forward slash. - Set the correct time on the RSA Authentication Manager server.
- Synchronize the tokens:a. (Recommended) Create a text file where you can write output from the command, for example, c:\sync.txt. On the Appliance, a convenient location is /tmp/sync.txt.
b. Open a command prompt, and set the current directory to RSA_HOME/utils where RSA_HOME is the RSA installation path.
c. Run the RSA Synchronize Tokens utility using one of the following commands:Windows:
rsautil sync-tokens -I
Appliance and UNIX-based systems:
./ rsautil sync-tokens -I
(Run this command as rsaadmin.)
The -I option runs the utility in interactive mode so that the system prompts you to configure options for the sync token job.
Note: To see all the options for this utility, run:
rsautil sync-tokens ?
d. Follow the prompts to synchronize tokens. Set the token offset to 0, and reset the Next Tokencode Mode.
Note: RSA recommends running the command in list mode first so that you can see the current state of the token database and offsets. (You can include list mode as an option, or select it in interactive mode.) If the output file size is 0, check the batch job results and look for a batch job related to sync-tokens. If you run the sync-tokens utility in list mode and it does not produce any output, you might need to run identity source cleanup first.
e. When the job completes, review the output file if you specified one, and test a token.
Command output example
The following example shows the command being run in list mode on Windows on the entire token database. Consider that the sync-tokens utility has many options and capabilities that are not all shown in this example.
------------------------------------------------------------------------
C:\Program Files\RSA Security\RSA Authentication Manager\utils>rsautil sync-tokens -I
Authenticator Bulk Synchronization Utility am-7.1.0-build20080715085805
Copyright (C) 2008 RSA Security Inc. All rights reserved.
Enter the absolute path for the output report file : c:\sync.txt
Enter the base security domain name for recursive search [(none)]: none
Enter the type of token selection [ (all) | file ]: all
Choose a token filter [ assigned | unassigned | (both) ]: both
What action do you wish to perform? [ (list) | modify ]: modify
Enter type of clock offset value [ absolute | relative | (none)]: absolute
Enter clock offset value [0]: 0
Do you want to reset the Next Tokencode Mode? [ y/n ]: y
Do you want to reset the last login date and time? [ y/n ]: n
Do you want to clear user lockout information? [ y/n ]: y
Enter administrator user ID : admin
Enter administrative password : ***********
Authenticator Bulk Synchronization Utility am-7.1.0-build20080715085805
Copyright (C) 2008 RSA Security Inc. All rights reserved.
Started job on Wed Aug 20 10:19:51 EDT 2008 with ID = ims.e07c584ba263650a018d923bd0ac085d
C:\Program Files\RSA Security\RSA Authentication Manager\utils> ------------------------------------------------------------------------
Output file example
The following example shows the output file c:\sync.txt.
------------------------------------------------------------------------
# Authenticator Bulk Synchronization Utility
# (c) 2005-2006 RSA Security Inc.
#
# THIS FILE COULD BE USED AS A SOURCE OF TOKEN SERIAL NUMBERS.
#
# EACH SERIAL NUMBER MUST BE 12 DIGITS IN LENGTH.
#
# SERIAL NUMBERS LESS THAN 12 DIGITS MUST BE PREFIXED WITH ZEROS
# IN ORDER TO MEET THIS LENGTH REQUIREMENT.
# # UPDATING Token Data [Wed Aug 20 10:59:13 EDT 2008]
#
# Token Clock Next Tokencode Last Login Principal Security
# Serial Number Offset Mode Status Date/Time Lockout Status Domain
000032388427 0 false None <unassigned> SystemDomain
000032388428 0 false None <unassigned> SystemDomain
000032388429 0 false None <unassigned> SystemDomain
000032388430 0 false None <unassigned> SystemDomain
000032388431 0 false None <unassigned> SystemDomain
000032388432 0 false None <unassigned> SystemDomain
000032388433 0 false None <unassigned> SystemDomain
000027460501 -58 false None Unlocked SystemDomain
000027460502 0 false None <unassigned> SystemDomain
000027460503 0 false None <unassigned> SystemDomain
000027460504 0 false None <unassigned> SystemDomain
000027460505 0 false None <unassigned> SystemDomain
000027460506 0 false None <unassigned> SystemDomain
000027460507 0 false None <unassigned> SystemDomain
000027460508 0 false None <unassigned> SystemDomain
000027460509 0 false None <unassigned> SystemDomain
000027460510 0 false None <unassigned> SystemDomain
000032388434 0 false None <unassigned> SystemDomain
000032388435 0 false None <unassigned> SystemDomain
000032388436 0 false None <unassigned> SystemDomain
000032388437 0 false None <unassigned> SystemDomain
000032388438 0 false None <unassigned> SystemDomain
000032388439 0 false None <unassigned> SystemDomain
000032388440 0 false None <unassigned> SystemDomain
000032388441 0 false None <unassigned> SystemDomain
------------------------------------------------------------------------
- Absolute changes the offset to the defined value. For example if the current offset is 300 and an absolute value of 600 is defined, the new offset becomes 600.
- Relative changes the current value by the defined value. If the current offset is 300 and a relative change of 600 is defined, the new offset becomes 900.
- None makes no changes to the value.
---------------------
cd to utils directory under RSA_HOME. Typically \Program Files\RSA Security\RSA Authentication Manager\
1. run the following command
ON WINDOWS
rsautil manage-secrets -a get com.rsa.db.root.password
ON APPLIANCE or Linux:
./rsautil manage-secrets -a get com.rsa.db.root.password
After entering your master password you should have a result which will be used to connect to sqlplus in the next step.
com.rsa.db.root.password: HIKyB0Eobm
. ./rsaenv (dot space dot/rsaenv)
Now enter the two commands below
sqlplus sys/<value from step1> as sysdba
Example:
SQL> sqlplus sys/HIKyB0Eobm as sysdba
Example:
SQL> sqlplus sys/HIKyB0Eobm as sysdba
-------------
The following steps assume you have a valid backup of a production system (where the production system was using pre-RSA Authentication Manager 7.1 SP2 or RSA Authentication Manager 7.1 SP2 software).
NOTE: at this time RSA is investigating why backup data from pre-RSA Authentication Manager 7.1 SP2 software installations does not restore into RSA Authentication Manager 7.1 SP3 software installations.
NOTE: at this time RSA is investigating why backup data from pre-RSA Authentication Manager 7.1 SP2 software installations does not restore into RSA Authentication Manager 7.1 SP3 software installations.
1) Install clean RSA Authentication Manager 7.1 SP2 full installation kit – installed using the same administrative accounts and master password as the previous production system to ensure the encrypted IMS data backup restores correctly.
NOTE: using the same fully-qualified hostname and IP address for the new RSA Authentication Manager 7.1 SP2 installation is optional.
NOTE: using the same fully-qualified hostname and IP address for the new RSA Authentication Manager 7.1 SP2 installation is optional.
2) Use the RSA Operations Console to configure the RADIUS server.
3) Stop all RSA Authentication Manager processes.
As the super user ‘root’ navigate to the RSA_AM_HOME/server folder and use the command: ./rsaam stop all
e.g.
[rsaadmin@rham712p server]$ ./rsaam stop all
RSA Authentication Manager: [ OK ]
RSA Authentication Manager Proxy Server: [ OK ]
RSA Authentication Manager Administration Server: [ OK ]
RSA Authentication Manager Node Manager: [ OK ]
RSA Authentication Manager Database Server: [ OK ]
RSA Authentication Manager Database Listener: [ OK ]
RSA Authentication Manager Operations Console: [ OK ]
RSA Authentication Manager Radius: [ OK ]
RSA RADIUS Operations Console: [ OK ]
[rsaadmin@rham712p server]
|
4) Optional: Start the RSA Authentication Manager Database Listener and RSA Authentication Manager Database Server, as these processes are required to perform an IMS data backup of the new RSA Authentication Manager 7.1 SP2 software installation.
As the super user ‘root’ navigate to the RSA_AM_HOME/server folder and use the command: ./rsaam start db
e.g.
[rsaadmin@rham712p server]$ ./rsaam start db
RSA Authentication Manager Database Listener: [ OK ]
RSA Authentication Manager Database Server: [ OK ]
[rsaadmin@rham712p server]$
As the user specified for the database installation navigate to the RSA_AM_HOME/utils folder and run the command: ./rsautil manage-backup -a export -D -f /<pathname>/<filename>.dmp
e.g.
[rsaadmin@rham712p utils]$ ./rsautil manage-backup -a export -D -f /sandbox/backups/imsam71sp22May10.dmp
Enter master password: ***********
Operation started : SUN MAY 02 14:31:05 EST 2010
Exporting the user credentials
Exporting the database
Operation completed : SUN MAY 02 14:33:44 EST 2010
[rsaadmin@rham712p utils]$
|
5) Use the tar command to archive the RADIUS folder. This tar file could be used later should there be any issues with the RADIUS restore reconfiguration.
As the super user ‘root’ navigate to the RSA_AM_HOME folder and use the following tar command to archive the RADIUS folder:
tar cvf radius_backup.tar radius/*
|
6) Start all of the RSA Authentication Manager 7.1 SP2 processes on the new system.
As the super user ‘root’ navigate to the RSA_AM_HOME/server folder and use the command: ./rsaam start all
e.g.
[rsaadmin@rham712p server]$ ./rsaam start all
RSA Authentication Manager Database Listener: [RUNNING]
RSA Authentication Manager Database Server: [RUNNING]
RSA Authentication Manager Node Manager: [ OK ]
RSA Authentication Manager Administration Server: [ OK ]
RSA Authentication Manager Proxy Server: [ OK ]
RSA Authentication Manager: [ OK ]
RSA Authentication Manager Operations Console:/usr/bin/nohup: appending output to `nohup.out'
[ OK ]
RSA Authentication Manager Radius: [ OK ]
RSA RADIUS Operations Console:/usr/bin/nohup: appending output to `nohup.out'
[ OK ]
[rsaadmin@rham712p server]$
|
7) Restore the IMS data backup from the other/older RSA Authentication Manager 7.1 system.
As the super user ‘root’ stop the RSA Authentication Manager process by using a shell script called ‘rsaam’ from the RSA_AM_HOME/server folder:
e.g.
[root@rham712p server]# ./rsaam stop managed [Should be rsaam stop all, then rsaam start db]
RSA Authentication Manager: [ OK ]
[root@rham712p server]#
Copy the IMS data backup (a dmp file and a secrets file) into a folder that is accessible by the user specified for the database installation of the RSA Authentication Manager 7.1 SP2 software.
As the user specified for the database installation, navigate to the RSA_AM_HOME/utils folder and run the following commands:
./rsautil setup-replication -a remove-primary
./rsautil manage-backups -a import -D -f /<pathname>/<filename>.dmp
./rsautil setup-replication -a set-primary
e.g.
[rsaadmin@rham712p utils]$ ./rsautil setup-replication -a remove-primary
Enter password: ***********
Setup Replication ims-2.0.2-build20091007172001
Copyright (C) 2008 RSA Security Inc. All rights reserved.
%% Running at: rham712p:[ybecs7lb] %%
=======================================
% Removing a Primary Site %
=======================================
Type Instance name Hostname DBname
-------- ----------------------- ----------------------- ---------
Primary rham712p.bellnet.local rham712p.bellnet.local ybecs7lb
Are you sure you want to remove this primary? (Y/N): y
%% Starting configuration -- Status: Removing queues at [ybecs7lb]
Done...
[rsaadmin@rham712p utils]$ ./rsautil manage-backups -a import -D -f /sandbox/backups/imsam71sp230Apr10.dmp
Enter master password: ***********
Are you sure you want to import the file and overwrite the existing data in the database? (Y/N): y
Operation started : SAT MAY 01 17:54:18 EST 2010
Importing the user credentials
Importing the database
Flashback is turned on
Rename URL-based config values
.
.SQL*Plus: Release 10.2.0.4.0 - Production on Sat May 1 18:07:10 2010
.
.Copyright (c) 1982, 2007, Oracle. All Rights Reserved.
.
.
.Connected to:
.Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Production
.With the Partitioning, Data Mining and Real Application Testing options
.
.***************************************************************************************************
.*
18:07:13 : RSA_REP.IMS_PRINCIPAL_DATA is changed
18:07:13 : RSA_REP.PK_IMS_PRINCIPAL_DATA is changed
18:07:13 : RSA_REP.IDX_IMS_PRINC_DATA_IS_KEY is changed
18:07:13 : RSA_REP.IDX_IMS_PRINC_DATA_UID_IS is changed
18:07:13 : RSA_REP.FBI_IMS_PRINC_DATA_UID is changed
18:07:13 : RSA_BATCHREP.IMS_PRINCIPAL_LOGIN_DATE is changed
18:07:13 : RSA_BATCHREP.PK_IMS_PRINCIPAL_LOGIN_DATE is changed
18:07:13 : RSA_BATCHREP.IDX_IMS_PRINCIPAL_LOGIN_DATE is changed
18:07:13 : RSA_REP.AM_TOKEN is changed
18:07:14 : RSA_REP.IDX_AM_TOKEN_PK is changed
18:07:14 : RSA_REP.IDX_AM_TOKEN_PRINCID_FK is changed
18:07:14 : RSA_REP.IDX_AM_TOKEN_SERIAL_NUMBER_UK is changed
18:07:14 : RSA_REP.IDX_AM_TOKEN_TYPE_TOKEN_FK is changed
18:07:14 : RSA_REP.IDX_SEC_DOM_TOKEN_FK is changed
18:07:14 : RSA_REP.IDX_SW_TKN_DEV_TYP_TKN_FK is changed
18:07:14 : RSA_BATCHREP.AM_TOKEN_OOB is changed
18:07:14 : RSA_BATCHREP.IDX_AM_TOKEN_OOB_PK is changed
18:07:14 : RSA_BATCHREP.IDX_AM_TOKEN_OOB_UTC is changed
.*
.* The script is executed successfully
.* **************************************************************************************************
.Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Production
.With the Partitioning, Data Mining and Real Application Testing options
Reset the IMS console meta data
.
.SQL*Plus: Release 10.2.0.4.0 - Production on Sat May 1 18:07:23 2010
.
.Copyright (c) 1982, 2007, Oracle. All Rights Reserved.
.
.
.Connected to:
.Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Production
.With the Partitioning, Data Mining and Real Application Testing options
.
.Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Production
.With the Partitioning, Data Mining and Real Application Testing options
All of data has been imported, and it is OK to start the system.
Operation completed : SAT MAY 01 18:07:24 EST 2010
[rsaadmin@rham712p utils]$ ./rsautil setup-replication -a set-primary
Enter password: ***********
Setup Replication ims-2.0.2-build20091007172001
Copyright (C) 2008 RSA Security Inc. All rights reserved.
%% Running at: rham712p:[ybecs7lb] %%
=======================================
% Setting up Primary Site %
=======================================
[Primary]
Port : 2334
DB name : ybecs7lb
DB host : rham712p.bellnet.local
Instance : rham712p.bellnet.local
Site name : rham712p.bellnet.local
Is this correct (Y/N): y
%% Starting configuration -- Status: Changing capture retention time [ybecs7 -- Registering primary information
Done...
[rsaadmin@rham712p utils]$
Start the RSA Authentication Manager process that was stopped earlier: ./rsaam start managed
e.g.
[root@rham712p server]# ./rsaam start managed
RSA Authentication Manager Database Listener: [RUNNING]
RSA Authentication Manager Database Server: [RUNNING]
RSA Authentication Manager Node Manager: [RUNNING]
RSA Authentication Manager Administration Server: [RUNNING]
RSA Authentication Manager Proxy Server: [RUNNING]
RSA Authentication Manager: [ OK ]
[root@rham712p server]#
|
8) As the super user ‘root’ reconfigure RADIUS at the command line.
As the super user ‘root’ navigate to the RSA_AM_HOME/config folder and use the ‘configUtil.sh’ command to reconfigure RADIUS.
e.g.
[root@rham712p RSAAuthenticationManager]# cd config
[root@rham712p config]# ./configUtil.sh configure radius finalize-radius-restore
[root@rham712p config]#
|
If you encounter the following error:
Action configure
Product radius
Module finalize-radius-restore
JVM_HOME=/usr/local/RSASecurity/RSAAuthenticationManager/appserver/jdk
readSecrets PropDir: /usr/local/RSASecurity/RSAAuthenticationManager/utils/etc
Action: start
Using service/script 'Steel-Belted Radius'/'radiuswrapper.bin'
Starting RADIUS Service...
Checking XUI Connection...
Done.
RADIUS Server Cert Generation: SUCCESS
RADIUS Server Cert Install: SUCCESS
RemoteCommand: Properties dir: /usr/local/RSASecurity/RSAAuthenticationManager/utils/etc
RemoteCommand: Connecting to Local AM as rsaadmin
RemoteCommand: Error Initializing CommandProxy: com.rsa.ims.authn.AuthenticationException: Access Denied
Configuration failed
Exiting...
|
..use knowledge article a48690 - How to determine the password of the superadmin account used by configUtils.
9) Use the RSA Operations Console and RSA Security Console to check the integrity of the restored database and check the RADIUS configuration.
i) Use the RSA Operations Console > Deployment Configuration > RADIUS > Manage Existing > {select} Server Name and Manage RADIUS Server.
ii) Use the RSA Security Console > RADIUS > RADIUS Servers > {select} Server Name and select Edit.
i) Use the RSA Operations Console > Deployment Configuration > RADIUS > Manage Existing > {select} Server Name and Manage RADIUS Server.
ii) Use the RSA Security Console > RADIUS > RADIUS Servers > {select} Server Name and select Edit.
-----------------
- a52398 | Agent does not auto-register with the RSA Authentication Manager
- Fact
- RSA Authentication Manager 7.1
- RSA Authentication Agent for Windows
- Auto-registration
- Auto Registration
- Migration
- Symptom
- RSA Authentication Agent for Windows does not auto-register with the RSA Authentication Manager
- Nothing appears in the real-time authentication activity monitor
- Change
- RSA Authentication Manager 6.1 database was migrated to RSA Authentication Manager 7.1 SP2 (or RSA SecurID Appliance 3.0 SP2)
- Cause
- The server certificate (server.cer) used by the RSA Authentication Agent for Windows does not match the RSA Authentication Manager to allow SSL connectivity
- Fix
- To complete the migration and to allow the agent auto-registration program to update the agent host record in the authentication manager database the agent server certificate (server.cer) located in the “C:\Program Files\RSA Security\RSA Authentication Agent\Agenthost Autoreg Utility” folder must be replaced with the server certificate from the license files used by the RSA Authentication Manager 7.1 SP2 software installation.IMPORTANT NOTE: ensure the RSA Authentication Manger 7.1 software has RSA Authentication Manager 7.1 Service Pack 3applied (or RSA SecurID Appliance 3.0 Service Pack 3 for an RSA SecurID Appliance 3.0 as it contains a fix for auto-registration).Also, edit the agent host record and unprotect the IP address of the agent or remove the agent host record from the authentication manager database so the agent can register itself with an unprotected IP address.Changes to agent host records are done via the RSA Security Console > Access > Authentication Agents > Manage Existing – search Unrestricted or Restricted for the agent host record.
- -------------
- a48654 | RADIUS migration from Authentication Manager 6.1 to Authentication Manager 7.1 SP2
- Goal
- Migrate RADIUS from Authentication Manager 6.1 to Authentication Manager 7.1 SP2
- Fact
- Authentication Manager 7.1 SP2
- Appliance 3.0 SP2
- RADIUS Migration
- Fix
- This knowledge article assumes you have already installed your RSA Authentication Manager 7.1 SP2 and have configured RSA RADIUS correctly following the RSA Authentication Manager 7.1 installation guide.
Below is how to correctly migrate your RSA RADIUS 6.1 data using the RADIUS export utility from the RSA Authentication Manager 7.1 SP2 full installer kit:
1. Navigate through the RSA Authentication Manager 7.1 SP2 installation media to the client/util/ folder and copyam61RADIUSExportUtility.zip file to the Authentication Manager 6.1 Primary server and unpack the file into a working directory (e.g. C:\amsoftware)
2. On the Authentication Manager 6.1 server, go to the command line and navigate to the directory you unpacked the am61RADIUSExportUtility.zip file
type: patchRemoteAdmin.bat
3. press ENTER
4. type "y" followed by ENTER
5. Type the path to the case installation directory e.g. C:\Program Files\RSA Security\RSA Authentication Manager
6. Press ENTER but do not go any further with the patchRemoteAdmin at the command line for the moment.
7. When prompted, on the Windows desktop do one of the following:
• For Authentication Manager on the local host machine, click Start > Programs > RSA Security > RSA Authentication Manager Host Mode to open the Authentication Manager 6.1 Administration client.
• For Authentication Manager on a remote host machine, click Start > Programs > RSA Security > RSA Authentication Manager Remote Mode. Log on to the remote host machine to open the Authentication Manager 6.1 Administration client
8. Select RADIUS > Manage RADIUS Server. The RSA AM6.1 Export utility box open
9. Select " Generate package"
10. When the export is complete, Authentication Manager 6.1 Export Utility dialog box displays the location of the RADIUS migration package file, <RSA_AM_HOME>\prog\radius\Admin
11. Back with the patchRemoteAdmin type "Y" and press ENTER on the "Have you completed the export operation and are ready to restore the client to its original state."
12. "Do you really want to remove this update?" type "Y"
13. Close the command prompt
<!--[endif]-->Here is an example of running patchRemoteAdmin.bat at the command line:C:\software\am61RADIUSExportUtility>patchRemoteAdmin.bat###########################################################################################[INFO] To run this script, you must be an RSA Authentication Manager 6.1 administrator[INFO] This script enables your remote administration client to export RADIUS data from an Authentication Manager 6.1 installation.[INFO] This script temporarily alters the functionality of your Remote Administration client.[INFO] After exporting the RADIUS data, the script gives you the option to restore administrative functionality to this Remote Administration client.###########################################################################################Do you really want to continue (Y/N)? yEnter the installation directory of the RSA Authentication Manager Remote Database Administration client: ("C:\Program Files\RSA Security\RSA Authentication Manager") : <ENTER>3 File(s) copied1 File(s) copied1 File(s) copied1 File(s) copied[INFO] "AM6.1 RADIUS export patch applied successfully"###########################################################################################[INFO] Installation of the RSA Radius Data Export utility is complete.You can now run the utility to create the RADIUS migration package.do the following now:-- Log on to the Remote Administration client-- click RADIUS menu and select Manage RADIUS server menu option-- click export to start the export process###########################################################################################If you have generated the RADIUS migration package, do you want to restore administrative functionality to this Remote Administration client? (Y/N)? y###########################################################################################[INFO] It is assumed that you have exported RADIUS server data from your AM 6.1[INFO] RSA Security recommends that you remove the export functionality from this Remote Administration client, after generating the migration package. If you do not remove the export functionality, you cannot remotely administer your Authentication Manager 6.1 from this RemoteAdministration client.###########################################################################################Do you want to remove the export functionality from this Remote Administration client (Y/N)? y[INFO] RSA RADIUS 6.1 Export functionality has been successfully removed and administrative functionality has been restored.C:\Program Files\RSA Security\RSA Authentication Manager\prog\radius\Admin>
Using the RSA Operations Console to migrate the RSA RADIUS 6.1 data files
To migrate the RSA RADIUS 6.1 data files on the primary instance:
1. On the primary instance, launch and log on to the RSA Operations Console with an administrative user account.
2. Click Deployment Configuration > Migration > RADIUS Database.
3. On the Additional Credentials Required page, enter the current Super Admin User ID and password. Click OK.
4. On the RADIUS Server Migration page, browse to the location of the RADIUS migration package file
[You generate the RSA RADIUS migration package file before you install the primary instance. For more information, see “Creating a RADIUS Migration Package File” on page 67 of the AM7.1 Migration guide.]
5. Click Start Migration.
6. Click Done.
7. Use the RSA Security Console to force replication to all RADIUS replica servers:
a. On the primary instance, launch and log on to the RSA Security Console.
b. Click RADIUS > RADIUS Servers.
c. Click Force Replication to All. - note
- In order to migrate RADIUS, you need to create a RADIUS migration file using the RADIUS Export utility provided on the RSA Authentication Manager 7.1 installation media.
This tool is found in the /root_directory/client/util/am61RADIUSExportUtility.zip - See a48564 for additional information.
- -----------
- a41394 | Problem migrating 6.1 database to Authentication Manager 7.1
- Fact
- Authentication Manager 7.1
- Symptom
- Error: "Migration did not complete successfully. Review the migration report or logs for details about the issue. Migration can be re-run and will ignore any information already migrated."
- Error: "failed to add domain object TOKEN"
- Cause
- An expired token is assigned to a user in the 6.1 database, and cannot be migrated. This is possibly a bug, and is being examined.
- Fix
- Workaround:Examine the migrate.log file, and look for the last token created, it will look something likeToken "000012345678" createdThis is the last token to be successfully imported. Edit the NEXT token in the 6.1 database (assuming the serial number is one more) to verify this token is assigned and expired, and unassign it. Repeat the dump from 6.1, and migrate to 7.1 with the new dumpfile.On the 6.1 database, run the report Token > List Tokens > A range of tokens by expiration. Select Tokens that will expire in the next (30) days (or some other number as appropriate), and put a check in the box "Include tokens that expired before today." If there are several expired (or expiring) tokens still assigned to users in the 6.1 database, The RSA Administrator should consider a plan to unassign these tokens. This plan may include replacing some/all of these tokens. Once no more users have expired/expiring tokens assigned to them, repeat the dump of the 6.1 database, and repeat the migration to 7.1 .
- note
- On a related issue, run the report Token > List Tokens > All tokens with replacements. If the AM6.1 database has users with both Original and Replacement tokens, it is suggested that these users be contacted, and asked to authenticate with the replacement token, to cause the Original token to be unassigned. If these users cannot be reached, as an alternative, the administrator can unassign the Original token from the user.
- -------------------
- a42841 | 7.1: Unable to promote a replica radius server to be a primary using disaster recover method
- Goal
- Unable to promote a replica radius server to be a primary using disaster recover method
- Fact
- Authentication Manager 7.1
- Radius
- Symptom
- Error message when trying to promote the replica radius server, "Sorry, your request cannot be processed at this time. There was a problem processing your request An unknown system error occurred"
- Cause
- There are two methods for promotion of a replica Radius to be a primary. If the primary Authentication Manager is up you can just log onto the Primary's Authentication Manager Operations Console and manage RADIUS replica and select promote. If the primary server is not available (disaster recovery option) you will need to promote an Authentication Manager replica server to be the primary first, then promote the RADIUS server through the newly promoted primary's Operations console. The instructions in the install guide starting on page 221 do work, but there are a couple of things that may have been overlooked. Please follow the instructions below:
- Fix
- 1. Promote the Authentication Manager replica to be a primary by logging into the RSA Operation Console and choosing Promote2. On the new Primary cd to RSA Security\RSA Authentication Manager\radiusoc\utils and run "rsautil manage-secrets -a set com.rsa.radius.oc.cert.cn.1 NewPrimary.domain.com"
3. Verify the setting took by running "rsautil manage-secrets -a get com.rsa.radius.oc.cert.cn.1"
4. Restart all RSA services on server (new primary)5. Make sure the Local Radius admins password matches that in the Authentication Manager. To do this find the RADIUS user by right-clicking on My Computer > Manage > Local Users, then go into Authentication Manager Security Console --> RADIUS --> RADIUS Servers --> select the replica --> edit. You will see the username under RADIUS Admin User Name. Change the local user password and the password on this page so that they match, then hit save.6. Logon to the RSA Operation Console and choose Deployment Configuration --> RADIUS --> Manage existing, then choose the replica and select Promote Replica to become new Primary. - note
- This process will not work if your run the rsautil command from RSA Authentication Manager\utils. You need to be in radiusoc\utils.
- -------
- a42294 | RSA RADIUS 7.1 replication not working after replica installation
- Goal
- Enabling RSA RADIUS 7.1 replication between Primary and Replica
- Fact
- Authentication Manager 7.1
- SBR Radius 7.1
- Symptom
- <date> <time> CRadConfigServerProviderPost::ExecutePost unknown managed server spec: <replica_fqdn>
- <date> <time> CRadManagedServerUpdate::ProcessPackage CCM error: disabled replica server '<replica_fqdn>'
- <date> <time> CRadManagedServerUpdate::DownloadPackage exceeded iterations limit while communicating with CCM <primary_fqdn>
- Change
- RSA Authentication Manager 7.1 replica installed with RSA RADIUS 7.1 where a radius replication package was not used during installation
- Fix
- Further steps are required to enable the radius replica and force the radius primary to publish a replication package to the replica.1) By default the primary replication option ‘Enable replication of the primary RADIUS server’ is enabled but the primary replication status is ‘Primary: unpublished’2) Enable the option ‘Enable the server for replication with the primary RADIUS server’ as by default the Replication status of the replica is ‘Replica: disabled’
Enable: Security Console > RADIUS > RADIUS Servers > {left-click the replica server name} > Edit > {check} Enable the server for replication with the primary RADIUS server > {click} Save3) Next, force replication for each radius server, primary first and then replica.
Primary: Security Console on primary > RADIUS > RADIUS Servers > {left-click the primary server name} > {click} Force Replication
Replica: Security Console on primary > RADIUS > RADIUS Servers > {left-click the replica server name} > {click} Force Replication -- this will change the Replication status of the replica is ‘Replica: unpublished’4) Lastly, use Security Console > RADIUS > RADIUS Servers > {click} Force Replication to All button
* this will change the Replication Status for the primary and replica RADIUS servers to Primary: up-to-date and Replica: up-to-date
Typical messages seen in the RSA RADIUS log (e.g. yyyymmdd.log) located in the <inst_dir>\RSA Authentication Manager\radius\Service directory:<date> <time> Publishing package packages\1222403881_SBR.ccmpkg stamp 1222403881 server <primary_fqdn><date> <time> Publishing package packages\1222403881_SBR.ccmpkg stamp 1222403881 server <replica_fqdn><date> <time> CRadConfigManagedServerHTTPNotification::NotifyTarget <replica_fqdn> address <replica_IP_address> port 1812 url /ccm-update5) Ensure the RSA RADIUS 7.1 process is running on both the primary and replica before performing authentication tests
A useful RADIUS test client is available from URL http://www.mastersoft-group.com/download/ - product to choose is the ‘NTRadPing RADIUS Test Utility (Free)’Please refer to knowledge article 'RADIUS authentication test with RSA RADIUS 7.1' to test RSA RADIUS 7.1 authentications or contact RSA Customer Support if you are still experiencing technical issues with RSA RADIUS replication.----------------- - a45224 | RSA Authentication Manager 7.1 replica RADIUS server does not authenticate when the primary server is down
- Goal
- Troubleshoot communication authentication errors on the RSA Authentication Manager 7.1 replica RADIUS server that occur when the primary server is down
- Fact
- RSA Authentication Manager 7.1
- RSA SecurID Appliance 3.0
- RSA Authentication Manager 7.1 RADIUS
- Symptom
- Replica RADIUS log shows messages that are similar to the following:
03/14/2009 13:27:19 Failed to initialize communications for SecurID authentication (result = 23)
03/14/2009 13:27:19 Unable to find user jgracias with matching password
03/14/2009 13:27:19 Sent reject response - Cause
- The sdconf.rec file on the replica Authentication Manager 7.1 RADIUS server does not contain replica server information. This can happen if the RSA Authentication Manager servers are not rebalanced before the replica RADIUS server is configured. To resolve this issue, you must update the sdconf.rec file on the replica RSA Authentication Manager 7.1 RADIUS server.
- Fix
- RSA Authentication Manager 7.1 replica RADIUS server does not authenticate when the primary server is downTo resolve communication authentication errors on the replica RADIUS server, update the sdconf.rec file on the replica RSA Authentication Manager 7.1 RADIUS server.To update the sdconf.rec file on the replica RSA Authentication Manager 7.1 RADIUS server:
- Generate and download the sdconf.rec file on the primary RSA Authentication Manager 7.1 RADIUS server:
a. Log on to the RSA Security Console.
b. Select Access > Authentication Agents > Authentication Manager Contact List > Automatic Rebalance.
c. Click Rebalance. You should see the primary and replica server(s) listed. (This step updates the contact list.)
d. Generate and download a new sdconf.rec file. In the Security Console, go to Access > Authentication Agents > Generate Configuration File. Follow the prompts to download the file. - Update the sdconf.rec file on the replica Authentication Manager 7.1 RADIUS server:
a. Place the newly generated sdconf.rec in the directory. This file needs to be in the following location:
• Windows: C:\Windows\System32
• UNIX-based systems: /var/ace
• Appliance: /usr/local/RSASecurity/RSAAuthenticationManager/radius/
See the section below for special instructions on moving the file to an Appliance.
b. Delete the sdstatus.12 file located on the server.
c. Stop and restart the RSA RADIUS Server. On Windows, use the Windows Services applet, or on UNIX or the Appliance, run the following command in the same line:
/usr/local/RSASecurity/RSAAuthenticationManager/server/rsaam restart radius - Launch the agent and test authentication.
- Log on to the Security Console, check and select Setup > Instances. Verify that replica servers are listed and that their status is Running.
- Generate and download the sdconf.rec file on the primary RSA Authentication Manager 7.1 RADIUS server:
- note
- To move the sdconf.rec file to an Appliance:
- On the Appliance, copy the sdconf.rec file to the /tmp directory with a secure copy program using the emcsrv account and the Operating System password.
- Log on to the Appliance using an SSH client, and run the following commands:
sudo su
cd /tmp
chmod 755 sdconf.rec - Copy the sdconf.rec file from the /tmp directory to the following location:
/usr/local/RSASecurity/RSAAuthenticationManager/radius/
- If you are not using RSA RADIUS, see solution a45223.
- ----------
- a45223 | RSA authentication agent authenticating only to the Authentication Manager 7.1 primary
- Goal
- The RSA agent should authenticate to the replica Authentication Manager server if the primary server is down. The RSA agent should display all Available Authentication Servers when checking the Server Status.
- Fact
- RSA Authentication Manager 7.1
- SP2
- Appliance 3.0
- RSA Windows Agent
- Symptom
- RSA agent only authentication to the Authentication Manager 7.1 primary
- On the agent, the Server Status only displays the primary server instead of all available Authentication Servers
- Cause
- The sdconf.rec file does not contain information on the Authentication Manager replica.
- Fix
- To update the list in the configuration File, follow the following steps:On the primary Authentication Manager 7.1 server:1. Login to the Security Console. Select Access > Authentication Agents > Authentication Manager Contact List > Automatic Rebalance.2. Click on the Rebalance Option. You should see the primary and replica server(s) listed.3. Generate a new configuration file. From the Security Console select Access > Authentication Agents > Generate Configuration File. Generate and download a new sdconf.rec file.On the agent machine:1. Delete the sdstatus.12 file from C:\Windows\System322. Place the newly generated sdconf.rec in the directory.3. Launch the agent and test authentication.4. Refresh the agent by closing the agent and launching it again.5. Go to Local > Server Environment > Server Status to see if the replica server(s) are listed.You should now be able to authenticate to the replica server-------------
- a42378 | RADIUS authentication test with RSA RADIUS 7.1
- Fact
- RSA Authentication Manager 7.1
- RSA RADIUS 7.1
- RADIUS authentication
- Authentication Test
- RADIUS Authentication Test
- Symptom
- Security Console Authentication Monitor displays the following message after a RADIUS authentication:Date & Time<date & time>Log LevelERRORActivity KeyPrincipal authenticationDescriptionUser “rsalocaltest” attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain “SystemDomain”Action Result KeyFailureResult KeyAUTH_METHOD_FAILEDResultAuthentication Method failedUser ID<user ID>
- RSA RADIUS 7.1 log file reports 'Authentication Response (reject)'
- RSA RADIUS 7.1 log files reports 'Unable to find user rsalocaltest with matching password'
- NTRADping RADIUS Server reply:Sending authentication request to server <IP address of RSA RADIUS 7.1 server:port>
Transmitting packet, code=nn id=nn length=nnn
received response from the server in nnnn milliseconds
reply packet code=nn id=nn length=nnn
response: Access-Reject
----------------------------attribute dump----------------------------- - Fix
- Here is a test for RSA RADIUS 7.1 with an internal database user with a fixed PASSCODE and a RADIUS test client called NTRADPing.1) Download NTRADping – a free RADIUS test client from URL http://www.mastersoft-group.com/download/
- unzip the file in to a working directory e.g. C:\temp\NTRADping2) Add a test user to the RSA Authentication Manager 7.1 Internal Database
RSA Security Console > Identity > Users > Add New
in the form:Identity Sourceselect Internal DatabaseLast NamersalocaltestUser IDrsalocaltestPassword<enter a password>Confirm Password<enter a password as above>Force Password Changeuncheck ‘Require use to change password at next logon’click {Save} button3) Assign Authentication Settings to the user ‘rsalocaltest’
RSA Security Console > Identity > Users > Manage ExistingSecurityDomainSystemDomainIdentity SourceInternal DatabaseForAll UsersWhereLast Name starts with rsalocaltestclick {Search} button
Left click the user name and select Authentication Settings4) in the form:Fixed Passcodecheck ‘Allow authentication with a fixed passcode’Fixed Passcode<enter a passcode> e.g. 12345678Confirm Fixed Passcode<enter a passcode as above> e.g. 12345678click {Save} button5) Ensure there is an unrestricted agent configured for the system the RADIUS test client NTRADping is being used on:
RSA Security Console > Access > Authentication Agents > Manage Existing
If there is no agent defined then use the {Add New} button to create one and ensure Agent May Be Accessed by All Users
in the form:Security DomainSystemDomainHostname<hostname>IP Address<IP address>Agent May be Accessed byAll Users {default setting}click {Save} button6) Ensure there is a defined RADIUS Client for the system NTRADping is being used on:
RSA Security Console > RADIUS > RADIUS Clients > Manage Existing
If there is no RADIUS client defined then use the {Add New} buttonClient Name<enter resolvable name>IP Address<enter IP address>Make/Model- Standard Radius -Shared Secret1234 <this MUST match the RADIUS Secret key in NTRADping>click {Save without RSA Agent} button7) Here is a typical example of the configuraiton in the RADIUS test client NTRADping:RADIUS Server/port<IP address of RSA RADIUS 7.1 server> <port>Reply timeout (sec)3Retries2RADIUS Secret key1234 <this MUST match the Shared Secret in the RADIUS Client>User-NamersalocaltestPassword<fixed passcode>CHAP<leave unchecked>Request TypeAuthentication RequestAdditional RADIUS Attributes<leave blank>click {Send} buttonRADIUS Server reply:Sending authentication request to server <IP address of RSA RADIUS 7.1 server:port>
Transmitting packet, code=nn id=nn length=nnn
received response from the server in nnnn milliseconds
reply packet code=nn id=nn length=nnn
response: Access-Challenge
----------------------------attribute dump-----------------------------
Prompt=No-Echo
Reply-Message=\0x0d\0x0a Enter your new PIN, containing 4 to 8 c
State=SBR-CH 4|1\0x00
Please note: NTRADping can do New PIN Mode and the response will be Access-Challenge. see solution a52716 on how to do this.This is expected and if this user was not in New Pin Mode the RADIUS Server reply would be as follows:
RADIUS Server reply:Sending authentication request to server <IP address of RSA RADIUS 7.1 server:port>
Transmitting packet, code=nn id=nn length=nnn
received response from the server in nnnn milliseconds
reply packet code=nn id=nn length=nnn
response: Access-Accept
----------------------------attribute dump-----------------------------
Class=2SBRCL\0xd4\0x80\0xdd\0xad\0x94\0x8d\0x80\0xbe\oxd8\ - a42294 | RSA RADIUS 7.1 replication not working after replica installation
- Goal
- Enabling RSA RADIUS 7.1 replication between Primary and Replica
- Fact
- Authentication Manager 7.1
- SBR Radius 7.1
- Symptom
- <date> <time> CRadConfigServerProviderPost::ExecutePost unknown managed server spec: <replica_fqdn>
- <date> <time> CRadManagedServerUpdate::ProcessPackage CCM error: disabled replica server '<replica_fqdn>'
- <date> <time> CRadManagedServerUpdate::DownloadPackage exceeded iterations limit while communicating with CCM <primary_fqdn>
- Change
- RSA Authentication Manager 7.1 replica installed with RSA RADIUS 7.1 where a radius replication package was not used during installation
- Fix
- Further steps are required to enable the radius replica and force the radius primary to publish a replication package to the replica.1) By default the primary replication option ‘Enable replication of the primary RADIUS server’ is enabled but the primary replication status is ‘Primary: unpublished’2) Enable the option ‘Enable the server for replication with the primary RADIUS server’ as by default the Replication status of the replica is ‘Replica: disabled’
Enable: Security Console > RADIUS > RADIUS Servers > {left-click the replica server name} > Edit > {check} Enable the server for replication with the primary RADIUS server > {click} Save3) Next, force replication for each radius server, primary first and then replica.
Primary: Security Console on primary > RADIUS > RADIUS Servers > {left-click the primary server name} > {click} Force Replication
Replica: Security Console on primary > RADIUS > RADIUS Servers > {left-click the replica server name} > {click} Force Replication -- this will change the Replication status of the replica is ‘Replica: unpublished’4) Lastly, use Security Console > RADIUS > RADIUS Servers > {click} Force Replication to All button
* this will change the Replication Status for the primary and replica RADIUS servers to Primary: up-to-date and Replica: up-to-date
Typical messages seen in the RSA RADIUS log (e.g. yyyymmdd.log) located in the <inst_dir>\RSA Authentication Manager\radius\Service directory:<date> <time> Publishing package packages\1222403881_SBR.ccmpkg stamp 1222403881 server <primary_fqdn><date> <time> Publishing package packages\1222403881_SBR.ccmpkg stamp 1222403881 server <replica_fqdn><date> <time> CRadConfigManagedServerHTTPNotification::NotifyTarget <replica_fqdn> address <replica_IP_address> port 1812 url /ccm-update5) Ensure the RSA RADIUS 7.1 process is running on both the primary and replica before performing authentication tests
A useful RADIUS test client is available from URL http://www.mastersoft-group.com/download/ - product to choose is the ‘NTRadPing RADIUS Test Utility (Free)’Please refer to knowledge article 'RADIUS authentication test with RSA RADIUS 7.1' to test RSA RADIUS 7.1 authentications or contact RSA Customer Support if you are still experiencing technical issues with RSA RADIUS replication.----------------- - a40226 | Replica Authentication Manager and Radius servers installs fail
- Fact
- RSA Authentication Manager 7.1
- Symptom
- Replica database and Radius server installs fail
- installation of RSA RADIUS replica fails
- Installation of RSA Authentication Manager 7.1 replica fails
- Cause
- There are a few possible causes:
1. The name resolution between the servers is not correct. Note that all servers in the deployment must be able to resolve each other using Alias, FQDN and IP, forwards and reverse.
2. The servers need to be able to route their communications to the primary interface of the Primary. The IP address that was specified during install of the Primary is the IP that all Replicas and Radius servers need to use to contact the Primary.
3. The time on the servers is not consistent. All server in the deployment should be within 15 seconds of each other. After install the Adjudicator communication between the servers will manage this, but at install the time needs to be accurate.
4. NAT is not configured correctly, meaning that the proper Alias addresses have not been configured for the servers. See the install and admin guide for notes regarding NAT.
No comments:
Post a Comment