Tuesday, January 29, 2013

SecurID kb

  • a1273 | How to reindex RSA ACE/Server databases
  • a17946 | How to generate or push a Replica Package to one UNIX Replica at a time manually
  • Instructions for rebuilding the replica table and creating a functional replica:
  • a57342 | A more concise guide to updating Authentication Manager 7.1 passwords
  • a51679 | AM 7.1.2- Replica Radius server Configuration Failure -debug-
  • a52896 | Unable to configure Radius on Replica server
  • a36043 | Authentication Manager 7.1 startup fails
  • a41725 | How to synchronize RSA SecurID tokens in RSA Authentication Manager 7.1
  • a48755 | How to connect to sqlplus to run a custom query or SQL query
  • a50886 | Moving pre-RSA Authentication Manager 7.1 SP2 data on a UNIX platform
  • a52398 | Agent does not auto-register with the RSA Authentication Manager
  • a48654 | RADIUS migration from Authentication Manager 6.1 to Authentication Manager 7.1 SP2
  • a41394 | Problem migrating 6.1 database to Authentication Manager 7.1
  • a42841 | 7.1: Unable to promote a replica radius server to be a primary using disaster recover method
  • a42294 | RSA RADIUS 7.1 replication not working after replica installation
  • a45224 | RSA Authentication Manager 7.1 replica RADIUS server does not authenticate when the primary server is down
  • a45223 | RSA authentication agent authenticating only to the Authentication Manager 7.1 primary
  • a42378 | RADIUS authentication test with RSA RADIUS 7.1
  • a42294 | RSA RADIUS 7.1 replication not working after replica installation
  • a40226 | Replica Authentication Manager and Radius servers installs fail
------------

a1273 | How to reindex RSA ACE/Server databases
Symptom
Error message appears in system application event log indicative of database corruption.
Error: "Trigerror:tus_del.p Dependent SDToken record exists."
Delta records error messages appear - such as 'delta group member already exists. Error 132'
Delta error messages appearing while doing administration on the database.
Cause
Poor housekeeping of an ACE/Server database can result in the database index table being corrupted.
Fix
Before you reindex the RSA ACE/Server database, ensure that the ACE/Server processes have stopped.

Also, ensure you have a backup of the ACE/Server before you make any changes to the data. One way to backup your data is to use the 'sddump' utility. Read the Administration Guide for further information on this utility.

Procedure for Microsoft Windows:

1. Click Start Menu > Settings > Control Panel

2. Click the ACE/Server icon and click the Stop button

3. Back up the ACE/Server database using:

sddump, select server database

or

back up the contents of the ace\data directory

4. Open up a Command Prompt window and enter the following command lines:

C:\> cd ace\rdbms32\bin
C:\ACE\rdbms32\bin\> _proutil ../../data/sdserv -C idxbuild all


Procedure for UNIX:

1. Change directory to the ACEPROG directory (cd /path/ace/prog)

2. Stop the Authentication engine - 'aceserver stop'

3. Stop the Database Broker - 'sdconnect stop'

4. Ensure their are no processes running - 'ps- ef | grep ace'

5. Backup the ACE/Server database:

'sddump -s'

6. From the UNIX prompt as superuser (root) assuming the PATH to the ACE directory is '/apps/SecurID':

{root} > cd /apps/SecurID/ace/rdbms/bin
{root} > ./proutil ../../data/sdserv -C idxbuild all 

a17946 | How to generate or push a Replica Package to one UNIX Replica at a time manually

Goal
How to push a Replica Package to one UNIX Replica at a time manually
Manually push database when replica fails to start; How to recover from a failed push-db on UNIX
Symptom
Primary cannot connect to Replica <hostname>
The Primary and Replica do not replicate records
Primary is not connecting to the Replica; even when hostnames are consistent
Fix
There are two ways to deliver a Replica Package to a UNIX Replica: DB Push Enabled (replicate over the network) and DB Push Disabled (Replica database included in the Replica Package).
/.../ace/prog/sdadmin > System > Edit System Parameters > Allow Push DB Assisted Recovery ...will either be checked or unchecked. When checked, the Primary will 'deliver' the Replica Package to the Replica when both hosts are brought online. Unchecked and the admin will need to 'deliver' the Replica Package to the Replica.
The simpler, safer approach is to disable DB Push.
The process if 'Allow DB Push' is disabled:
~~~~~~~~~~~~~~~~~~~~~~~~
1) Log into sdadmin
a. You must be logged in as an ACE admin
b. ‘cd /…/ace/prog’
c. ‘./sdadmin'
2) Flag the Primary to NOT Push the database.
a. System Parameters > Edit System Parameters > Un-Check ‘Allow DB Push Assisted Recovery’
3) Remove any old ‘replica_package’ directories from the /…/ace/data directory
4) Stop the Primary ACE/Server
a. ‘cd /…/ace/prog’
b. ‘./aceserver stop’
c. ‘./sdconnect shutdown’
5) Generate a NEW Replica Package
a. ‘./sdsetup –package’
d. Specify the Replica that you will generate this replica package for.
e. Optionally verify that your ‘sdrepnodes.txt’ was built correctly
i. ‘cd /…/ace/data/replica_package/license’
ii. ‘more sdrepnodes.txt’
iii. You should the name of all the Replica servers that you specified…as well as some Seq Numbers and Port Names/Numbers
6) Restart Primary Services
a. ‘cd /…/ace/prog’
b. ‘./sdconnect start’
c. ‘./aceserver start’
7) Stop the Replica Server.
a. ‘cd /…/ace/prog’
b. ‘./aceserver stop’
c. ‘./sdconnect shutdown’
8) Copy the replica_package with sub folders ( license and database) to the Replica. You can store the replica_package directory in any directory on the Replica Host…you may want to avoid the /tmp directory
a. Apply the replica package
i. ‘cd /…/ace/prog’
ii. ‘./sdsetup -apply_package pathname’
iii. ‘./sdinfo | more’
1. You should see that the field ‘PRIMARY ACE SERVER’ reflects the hostname of the Primary ACE/Server.
2. You should see that the field ‘THIS SERVER’ reflects the hostname of the Replica ACE/Server.
9) Start the Replica Server
a. ‘cd /…/ace/prog’
b. ‘./sdconnect start’
c. Open a real-time activity log on the Primary
i. Open another session to the host
ii. ‘cd /…/ace/prog’
iii. ‘./sdlogmon –t’
iv. Go back to your original session and continue with the Primary startup.
d. ‘./aceserver start’
e. We should begin to see messages in both the Primary and that particular Replica logs that the two connect.
At this time, you should be sure that your Sequence numbers are the same on both of those machines…with an ‘./sdrepmgmt list’ on both hosts.
note
======================================================================================
The "more complex" process if 'Allow DB Push' is Enabled: Note - do not attempt to start Services on the Replica during the Push! Patience required!
~~~~~~~~~~~~~~~~~~~~~~~~
1) Log into sdadmin
a. You must be logged in as an ACE admin
b. ‘cd /…/ace/prog’
c. ‘./sdadmin
2) Flag the Primary to Push the database.
a. System Parameters > Edit System Parameters > Check ‘Allow DB Push Assisted Recovery’
3) Remove the ‘replica_package’ from the /…/ace/data directory
4) Stop the Primary ACE/Server
a. ‘cd /…/ace/prog’
b. ‘./aceserver stop’
c. ‘./sdconnect shutdown’
5) Generate a NEW Replica Package
a. ‘./sdsetup –package’ from the /…/ace/prog directory
b. Specify the Replica to generate the package for.
c. Let’s verify that your ‘sdrepnodes.txt’ was built correctly
i. ‘cd /…/ace/data/replica_package/license’
ii. ‘more sdrepnodes.txt’
iii. You should see the names of all the Replica servers that you specified…as well as some Seq Numbers and Port Names/Numbers
6) Start the Primary ACE/Server
a. ‘cd /…/ace/prog’
b. ‘./sdconnect start’
c. Open a realtime activity log on the Primary
i. Open another session to the host
ii. ‘cd /…/ace/prog’
iii. ‘./sdlogmon –t’
iv. Go back to your original session and continue with the Primary startup.
d. ‘./aceserver start’
e. The Push will initiate…with the 1st Replica that it comes to in its list that does require a push…meaning that the Push does not start simultaneously. The Startup interval (in the output of the command ‘/…/ace/prog/sdrepmgmt list’) controls when the Replica will ‘awaken’ and establish its connection to the Primary. Once this connection occurs, the Primary will begin the DB Push to that Replica…IF that Replica appears in the sdrepnodes.txt file.
7) Description of how to ‘watch’ this Push occur
a. On the Replica(s) receiving the DB Push
i. You should notice with a ‘ps –ef | grep _ace’ command, that the ‘_aceserver_fe’ process is down. The Replica will make its connection…see that it requires a Push from the Primary…then signal itself to shutdown.
ii. ‘cd /…/ace/data’
iii. You should see a directory called replica_package…if you were to ‘cd’ into this directory, you will notice the sdserv.* files will appear and the file sizes will begin to grow. Use ‘ls –l’ or something similar to watch the file sizes. Upon completion of the push, these sdserv.* files will be copied from this current directory and straight into /…/ace/data.
iv. Your Replica will start back up and re-connect with the Primary.
8) Check your sequence #’s
a. ‘./sdrepmgmt list’ on both the Primary and the corresponding Replica should show matching sequence #’s.

----
Instructions for rebuilding the replica table and creating a functional replica:
On the primary
stop the server.
"path"/ace/prog/aceserver stop
"path"/ace/prog/sdconnect shutdown
dump the database (this is to restore the db back)
"path"/ace/prog/sddump -s
"path"/ace/prog/sddump -l
"path"/ace/prog/sdnewdb all (cleans out the db including the replica table)
answer y,n,y,n
"path"/ace/prog/sdrepmgmt add
enter the name of the primary server, then take all the defaults.
"path"/ace/prog/sdrepmgmt add
enter the name of the replica server, then take all defaults.
"path"/ace/prog/sdrepmgmt list
note the service ports and names... are they securidprop_00 and securidprop_01? Do they use 5505 and 5506? If not the services file is likely not correct on the primary. Change /etc/services and start over.
"path"/ace/prog/sdload -s -m
"path"/ace/prog/sdload -l
rm -r "path"/ace/data/replica_package
Start the primary with "path"/ace/prog/sdconnect start and "path"/ace/prog/aceserver start.
Run database administration and turn off the automatic db push:
"path"/ace/prog/sdadmin
[System]
[Edit System Parameters]
Uncheck the "Allow Push DB Assisted Recovery"
Stop the primary with "path"/ace/prog/aceserver stop and "path"/ace/prog/sdconnect shutdown.
"path"/ace/prog/sdsetup -package (specify the replica server name. This will create a "path"/ace/data/replica_package directory)
cd "path"/ace/data/replica_package
tar -cvrf my_replica_package replica_package
ftp in BIN mode the my_replica_package file to a temp directory on the replica server.
Start the primary with "path"/ace/prog/sdconnect start and "path"/ace/prog/aceserver start. Move on to the replica.
On the replica.
rm -r "path"/ace
cd to the temp directory from above.
tar -xvf my_replica_package
go into the replica_package/license directory thats created.
Run the install script from there.
/cdrom/as501061/aceserv/OS/sdsetup -replica
When the install asks for the replica package directory give the path to the replica_package directory you just untar'd, let the install complete.
Ignore all error messages that scroll by at the end of the install... as long as you are confident that all was done right. Double check what you've done.
Bring up the replica with "path"/ace/prog/sdconnect start and "path"/ace/prog/aceserver start. Test.

"path"/ace/prog/sdtestauth

------

a57342 | A more concise guide to updating Authentication Manager 7.1 passwords
Goal
How to change or reset the master password, Security Console password or the Operations Console password
Fact
Working directories when using the rsautil command:
Windows -  cd C:\Program Files\RSA Security\RSA Authentication Manager\utils
Appliance 3.0 -  cd /usr/local/RSASecurity/ RSA Authentication Manager/utils
RSA Authentication Manager 7.1 SP2 and higher, SP4, Appliance 3.0.2.0 or higher, 3.0.4.10
Manage Secrets utility updates - C:\Program Files\RSA Security\RSA Authentication Manager\utils\etc\systemfields.properties
                                             
/usr/local/RSASecurity/ RSA Authentication Manager/utils/etc/systemfields.properties
ConfigUtil configure update - ../radiusoc/utils/etc/systemfields.properties
During installation of Authentication Manager 7.1 you are asked for a SuperAdmin UserID and password, which will be used for the Security Console Login. It is also used to create the Operation Console Login and the Master Password
Note: Changing any one of these passwords does not change the others.  Each of the Password Values and user names are independent.
Symptom
Error: Authentication with user name/password failed
Error: Invalid Password, failed to decrypt system key
Configure RADIUS Server - There was a Problem processing your request
Unexpected Failure in configuring Radius Server
since AM 7.1 Master and SuperAdmin Passwords are not unecoded, it is best to avoid the following special characters   &()[]{}^=;!'+,`$"#<>\|, for full list of invalid characters for AM 7.1 password, please refer to below document. For other allowed special characters, you could try placing quotes "" around the password.   
Fix
A) How to reset an unknown Master Password when you know the Operations Console Admin Password
 1.     On an RSA Appliance, SSH with the emcsrv account and the Operating System Password created during install, if on a Server skip to step 3
  2.    sudo su 
rsaadmin        (enter Operating SystemPassword again)
  3.    
(start here if AM 7.1 not Appliance)      cd to “RSA_AM_HOME”/utils
  4.    rsautil manage-secrets -u <Operations console Admin User>  -p <Operations Console Password>  -a change –N <new master password>
 for example:     rsautil manage-secrets -u RSAAdmin  -p P@ssw0rd!  -a change –N P@ssw0rd!
   6.   Operations Console Password and MasterPassword can be the same - Note, in this example the Operations Console Admin user name is CASE SENSITIVE

If you know the current Master Password, and want to change it, you can use
rsautil manage-secrets --a change -n new_password 
Master Password: <Current Master Password>

B) If you have RADIUS you must update the RADIUS MASTER PASSWORD after changing the Master Password 
change directories to RSA_AM_HOME/config/.
configUtil configure util-config updateAdmin -R master.password=new_master_password -R superadmin.username=new_superadmin_username -R
 superadmin.password=new_super_admin_password

new_master_password is the new master password.
new_super_admin_user_name is the new Super Admin user name


C) You must reload all Operations Console Admins 1x a time after changing the Master Password
./rsautil manage-oc-administrators -a reload
SuperAdmin: <name of Ops console Admin>
SuperAdmin Password: <Ops console Admin password>
===============================================================================================
D) How to Create a new Admin who can log onto the Security Console 
In this example the Admin will be called “tempAdmin”.  You do this from the Operating System, so cd to “RSA_AM_HOME”/utils       
either C:\Program files\RSA Security\RSA Authentication Manager\utils in Windows  
or /usr/local/RSASecurity/ RSA Authentication Manager/utils  in Linux
a.       Rsautil restore-admin –u tempAdmin –p <Temp Password for tempAdmin>
b.      Enter Master Password:                                                       Note: if this fails we need to reset Master Password, see A)
c.       A tempory admin will be created with user ID ‘tempAdmin’
d.      Are you sure you want to continue (Y/N) Y
e.      Admin created successfully
Login to Security console (within 24 hours or this account will be expired) then Navigate to Identity -> Users -> Manage Existing. Search for your admin to Security console who needs their password reset, from context menu select Edit, change Password and Save.===============================================================================================
E) How to Change the password for the admin who logs on to the Operations Console
rsautil manage-oc-administrators -a list
Note: the Operations Console Admin user name is CASE SENSITIVE list Admin names to check exact spelling
rsautil manage-oc-administrator -a update
Super Administrator's name: tempAdmin
Super Administrator's password: ************
Enter User Name:  admin
Enter User Password:  ************
Confirm User Password:  ************
User 'admin' updated successfully 

Or if you need to create a new Operations Console Admin use 
rsautil manage-oc-administrators -a create and follow the same prompts

Note: Takes up to 15 minutes to replicate the systemfields.properties file OOB.  If OOB does not push OC Admin Password to Replica, you may need to Detach and Re-attach

note
Note: If your Password contains special characters such as the ! or <, please note there are some restricted special characters for AM 7.1 Administration password (including master password, administrator password, operation console password), for detailed list please refer to AM 7.1 sp4 patch2 readme file at
https://knowledge.rsasecurity.com/docs/rsa_securid/rsa_auth_mgr/71sp4p2/auth_manager_SP4_p2_readme.pdf    
For other allowed special characters, you may need to put "quotes" around your password, especially in Linux, to prevent the Command line from trying to interpret your password special characters.
RSA Authentication Manager 7.1 Servers have two main login accounts and three main passwords:
1.       The Super Admin account is used to login to the RSA Security Console on port 7004.  This account is stored in the Internal Database
2.       The Operations Console Admin account is used to login to the Operations Console on port 7072.  This account is store in a system file
3.       The Master Password, is used at the command prompt with the rsautil command
An RSA Appliance has these same two accounts and three Passwords, and has an operating system account called emcsrv
When you setup an AM 7.1 Server or Appliance 3.0, you are asked to provide a Super Admin Account and Password.  You are creating these two accounts and three passwords from that one Super Admin account and Password. 
1.       The Super Admin account is replicated to all Replicas through In-Band Replication
2.       The Operations Console Admin account is replicated to all Replicas through Out Of Band, OOB Replication
3.       The Master Password is not replicated, if you change it on the Primary, you must change it on the Replicas to keep it in synch
a.       When you change or reset the Master Password, you must also reset the Radius Master Password and update the Operations Console
If you know at least one of these Accounts or Passwords, you can reset or recover the other two.  KB Solution a57342 details the instructions
1.       You can create a temporary Super Admin account to gain access to the Security Console if you know the Master Password - Fix D) above
2.       You can manage Operations Console Admin accounts if you know a Super Admin user and password - Fix E) above
3.       You can reset the Master Password if you know an Operations Console Admin Account user and password - Fix A) above
Reset the Radius Master Password if you have RADIUS - Fix B)  and update the Operations Console - Fix C) above
----------
a51679 | AM 7.1.2- Replica Radius server Configuration Failure -debug-
Goal
How to configure Primary or Replica Radius Server Successfully configure a replica radius server
Fact
Authentication Manager 7.1.4 AM 7.1 SP4 Appliance 3.0.4
Replica Radius Server     RSA_Home\install\logs\configureRADIUSTRACE.log   RSA_Home\install\logs\config_trace.log.1
reveal radius shared secret reveal radius secret debug radius secret

Symptom
Unable to initialize IMSCommandProxy       
Caused by: com.rsa.installfwrk.common.command.exception.CommandException: RemoteCommand: Unable to initialize IMSCommandProxy
com.rsa.installfwrk.config.exception.ConfigurationException: Configuration Failed at com.rsa.installfwrk.config.ConfigUtil.main(ConfigUtil.java:38)
Caused by: com.rsa.installfwrk.config.exception.ConfigurationException: Failed configuration command execution
In some cases, when configuring the replica Radius server you will get the following:
Successfully configured RADIUS server
RADIUS Server Properties
Name: yourserver.FQDN
Type:
Status:
Note: The TYPE and STATUS will be blank where are in a successful configuration you will see the actual TYPE and STATUS of the radius server you configured.
Invalid Replication Secret
Check the RSA_HOME/install/logs/config/ConfigureRadiusTrace.log the following exception:
ERROR - Failed configuration command execution
com.rsa.installfwrk.config.exception.ConfigurationException: Failed configuration command execution
at com.rsa.installfwrk.config.ConfigEngine.execute(ConfigEngine.java:223)
at com.rsa.installfwrk.config.ConfigUtil.runConfig(ConfigUtil.java:53)
......
at weblogic.rmi.internal.BasicServerRef$BasicExecuteRequest.run(BasicServerRef.java:1016)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
at weblogic.work.ExecuteThread.run(ExecuteThread

Invalid primary replication secret was provided
RSA_HOME\radiusoc\configutil unconfigure radius  returns   you need to be connected to a running server to execute this command  See a42984
RSA RADIUS Server Operations Console service will not start - RSA RADIUS Server Operations Console service won't start - RSA RADIUS Server Ops Console service
winsvc.log [E] [ServiceStart] Error in JVM. Cause=Unable to open 'D:/PROGRA~2/RSASEC~1/RSAAUT~1/appserver/jdk\jre\lib\ia64\jvm.cfg'  <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason:

There are 1 nested errors:  weblogic.management.configuration.ConfigurationException: D:\Program Files\RSA Security\RSA Authentication Manager\radiusoc\config\config.xml not found
<Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>  [Mon Apr 16 18:10:53 2012] [I] [ExitHandler] Fire (-1)
<Server state changed to FAILED>
Cause
The failed configuration is caused because of an incorrect Replication Secret. Call RSA Customer Support to get the Debug utilities to read the actual replication secret set during the configuration of the Primary Radius server.
You will need a debug utility to read the actual replication secret used when the Primary Radius server was configured. Call RSA Customer Support at 800-995-5095 to get the Debug utilities.
- Copy the "debug" folder in the RSA_HOME/config directory.
- On the Primary server, from a command line cd to the RSA_HOME/config directory and run the following command
 For Windows: configutil configure debug rsa.radius.server.secret
For Unix/Linux: ./configUtil.sh configure debug rsa.radius.server.secret  (Note: make sure that the proper permissions are set on the debug folder)
The outcome will finish with the following:
rsa.radius.server.secret=[rsa123]
Configuration complete
Exiting...
The replication secret used to configure the Primary Radius server is [rsa123] without the brackets. Use the replication secret from the debug output to configure the replica Radius server.
Fix
If name resolution is correct, reset the system fingerprint for both SecurID and Radius:

From CMD prompt, cd RSA_HOME
cd utils
rsautil manage-secrets -a recover
Master Password:

cd ..\radiusoc\utils
rsautil manage-secrets -a recover
Radius Master Password:                      (should be same as Master Password.  We might even hit a problem with special characters.)

Next Rebalance Agent Hosts, if that does not fix,
Next try debug from Cause above
 Last try Risky fix before re-install SP4:
a42984
From a Command prompt
1.    cd RSA_Home\config
2.    configutil unconfigure radius
3.    <confirm that RSA RADIUS OC service is no longer in Windows Services>
4.    configutil configure radius
5.    <wait - until RSA RADIUS OC Service shows in Services>
6.    May not need to do the rest of this:
7.    Mark/Select the output from configure radius command, paste into Wordpad, search for    RADIUS OS user
8.    The line will look something like this: RADIUS OS user RadiusQwFKXOva has password y9Ml13jahi-$$,
       a.    carefully select and copy the 14 character password, including any commas, e.g. y9Ml13jahi-$$,
       b.    Got to Windows Computer Management - Users, find Radius User, e.g. RadiusQwFKXOva, and Click set Password.  Paste in   y9Ml13jahi-$$,
9.    Try Operations Console - RADIUS - Manage Existing.  If none, try RADIUS - Configure Server

If this does not work, un-install and re-install AM 7.1 SP4 and patches
If the RSA_HOME/install/logs/config/ConfigureRadiusTrace.log indicates an issue with communication to the primary, make certain that 1812 TCP (RADIUS Replication Port) and 7002 TCP are listening between primary and replica. The log should indicate which ports represent the issue with communication. If these are not listening on the primary, try restarting AM services on the primary and try again.
note
RADIUS_debug.zip
---------
Symptom
C:\Program Files\RSA Security\RSA Authentication Manager\imsoc\logs\ops-console.log
@@@2010-11-14 09:00:19,526 ERROR [[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] GUILog.traceException(587) | exception: javax.naming.NameNotFoundException: Unable to resolve 'ejb.CommandServerSSLClientAuth'. Resolved 'ejb' [Root exception is javax.naming.NameNotFoundException: Unable to resolve 'ejb.CommandServerSSLClientAuth'. Resolved 'ejb']; remaining name 'CommandServerSSLClientAuth' at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:217)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:338)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:252)
Unable to contact the Primary RADIUS Server. You may specify any alternate IP Addresses before you configure. Also check the network connectivity of your Primary RADIUS Server.
Unable to resolve 'ejb.CommandServerSSLClientAuth'.
Configure Radius on Replica
Radius fails to configure with gui error Unable to contact the Primary RADIUS sever.
Cause
One of the commandServer components failed to load, in this case CommandServerSSLClientAuth.  As this component is missing, Radius configuration cannot complete.
Fix
Stopping and starting the Radius OC service generaly resolves this.  If not contact RSA Support Here
To stop and start RADIUS services on UNIX or the RSA SecurID Appliance 3.0, open an SSH session and do the following: 
login as: emcsrv
emcsrv@cs-appliance3-05.na.rsa.net's password: <enter OS user password>
Last login: Thu Jun 14 14:13:58 2012 from 10.100.41.49
-bash-3.00$ sudo su - rsaadmin
Password: <enter OS user password>
-bash-3.00$ cd /usr/local/RSASecurity/RSAAuthenticationManager/server
-bash-3.00$ ./rsaam stop radiusoc
RSA RADIUS Operations Console:                             [  OK ]
-bash-3.00$ ./rsaam start radiusoc
RSA RADIUS Operations Console:/usr/bin/nohup: appending output to `nohup.out'
                                                           [  OK ]
-bash-3.00$
To stop and start RADIUS services on Windows, open a command prompt: 
C:\> cd C:\Program Files\RSA Security\RSA Authentication Manager\server
C:\> rsaam stop radiusoc
RSA RADIUS Operations Console:                             [  OK ]
C:\> rsaam start radiusoc
RSA RADIUS Operations Console:/usr/bin/nohup: appending output to `nohup.out'
                                                           [  OK ]
C:>
note
It is unknown why the component fails to load, stopping/starting RadiusOC service resolves the issue.

-----------------------
a36043 | Authentication Manager 7.1 startup fails
Goal
How to reset, re-do redo the system fingerprint finger print finger-print
Fact
Authentication Manager 7.1
Microsoft Windows 2003
Redhat Linux Advanced Server 4.0, 5.5
Symptom
Authentication Manager startup fails - Services will not start
imstrace.log shows "com.rsa.ims.security.keymanager.sys.SystemModificationThresholdException: System was modified beyond the allowed threshold, cannot decrypt"
com.rsa.ims.security.keymanager.sys.SystemModificationThresholdException: System was modified beyond the allowed threshold, cannot decrypt.
 at com.rsa.ims.security.keymanager.sys.PropertiesLoader.a(PropertiesLoader.java:72)
 at com.rsa.ims.security.keymanager.sys.PropertiesLoader.loadFields(PropertiesLoader.java:201)
Could not get JDBC Connection
Cause
During the installation of Authentication Manager 7.0 a series of keys and passwords are created, these are secured in a file which itself is encrypted.  The system is able to decrypt the contents of this file because the encrypt/decrypt key is derived from certain "fingerprint" elements from the hardware.  If a number of hardware components are modified then this fingerprint changes and the file cannot be decrypted and most of the Authentication Manager processes will fail to start.
Fix
RSA Authentication Manager is designed to allow for hardware alterations and this simply requires the administrator to reset the encrypted file store.

Restore the system fingerprint by stopping the RSA Authentication Manager Server (rsaam stop) then running rsautil manage-secrets -a recover command from the utils directory.  For example:

Linux:
        # ./rsautil manage-secrets -a recover
        Enter Master Password:********
        Machine fingerprint restored successfully.
        #

Appliance:
        SSH with emcsrv user
        password: <OS Password>
        sudo su -
        password: <OS Password>
        su rsaadmin                            <no password needed> 
        # ./rsautil manage-secrets -a recover
        Enter Master Password:********
        Machine fingerprint restored successfully.
        #

Windows:
        C:\Program Files\RSA Security\RSA Authentication Manager\server\utils> rsautils manage-secrets -a recover
        Enter Master Password:********
        Machine fingerprint restored successfully.
        C:\Program Files\RSA Security\RSA Authentication Manager\server\utils> rsautils manage-secrets -a recover

You should then be able to start the server although a complete server restart is most appropriate to ensure a smooth startup of all services.
----------------
a41725 | How to synchronize RSA SecurID tokens in RSA Authentication Manager 7.1
Goal
Synchronize RSA SecurID tokens in RSA Authentication Manager 7.1
Run a setsync or setsyncint equivalent in RSA Authentication Manager 7.1
Fact
RSA Authentication Manager 7.1 has a built-in RSA utility called "sync-tokens" that replaces setsync and setsyncint. The utility creates a batch job that is listed in the RSA Security Console. Like the former utility, the output is a text file.
RSA Authentication Manager 7.1
RSA SecurID Appliance 3.0
token synchronization, synchronize tokens, sync tokens
RSA Synchronize Tokens utility (rsautil sync-tokens)
Symptom
The server time drifted, and tokens need to be resynchronized in batch.
setsyncint
Fix
How to synchronize RSA SecurID tokens in RSA Authentication Manager 7.1

If system clock drift is an issue, see the following solutions first:
  • solution a49766 on how to start the NTP service automatically when the Appliance is rebooted
  • solution a44785 on how to change or set the date, time, time zone, or NTP server settings on an RSA SecurID Appliance after it has been set up
Important: The sync-tokens utility has a bug in the original version that was resolved. For RSA Authentication Manager software installations, Patch 7.1.1 411888 or later (also known as  am-7.1.1-build20080804161513) is required, and 7.1.2 (Service Pack 2) or later is recommended. For the RSA SecurID Appliance, version 3.0.0.3 or later is required, and version 3.0.2 (Service Pack 2) is recommended.

To synchronize all tokens in RSA Authentication Manager 7.1: 1.
  1. (Appliances only) Do the following:

    a. Connect to the Appliance using the console or an SSH client. (For remote access using an SSH client, verify in the RSA Operations Console that the Appliance is enabled for SSH connectivity.)

    b. Log on using the emcsrv account and the Operating System password.

    c. Switch users to root. Run:
      sudo su
    When prompted, enter the Operating System password.

    d. Switch users to rsaadmin. Run:
      su rsaadmin

    e. Set the current directory to the folder that contains the RSA utilities. Run:
    cd /usr/local/RSASecurity/RSAAuthenticationManager/utils

    f. Set the environmental variables. Run:
      . ./rsaenv
    Note: This command begins with a period, space, period, and forward slash.
  2. Set the correct time on the RSA Authentication Manager server.
  3. Synchronize the tokens:

    a. (Recommended) Create a text file where you can write output from the command, for example, c:\sync.txt. On the Appliance, a convenient location is /tmp/sync.txt.

    b. Open a command prompt, and set the current directory to RSA_HOME/utils where RSA_HOME is the RSA installation path.

    c. Run the RSA Synchronize Tokens utility using one of the following commands:
    Windows
    rsautil sync-tokens -I


    Appliance and UNIX-based systems
    ./ rsautil sync-tokens -I

    (Run this command as rsaadmin.)

    The -I option runs the utility in interactive mode so that the system prompts you to configure options for the sync token job.

    Note: To see all the options for this utility, run:
    rsautil sync-tokens ?

    d. Follow the prompts to synchronize tokens. Set the token offset to 0, and reset the Next Tokencode Mode.

    Note: RSA recommends running the command in list mode first so that you can see the current state of the token database and offsets. (You can include list mode as an option, or select it in interactive mode.) If the output file size is 0, check the batch job results and look for a batch job related to sync-tokens. If you run the sync-tokens utility in list mode and it does not produce any output, you might need to run identity source cleanup first.

    e. When the job completes, review the output file if you specified one, and test a token. 


Command output example

The following example shows the command being run in list mode on Windows on the entire token database. Consider that the sync-tokens utility has many options and capabilities that are not all shown in this example.

------------------------------------------------------------------------ 
C:\Program Files\RSA Security\RSA Authentication Manager\utils>rsautil sync-tokens -I  

Authenticator Bulk Synchronization Utility am-7.1.0-build20080715085805

Copyright (C) 2008 RSA Security Inc. All rights reserved.  

Enter the absolute path for the output report file               : c:\sync.txt

Enter the base security domain name for recursive search [(none)]: none
Enter the type of token selection                [ (all) | file ]: all
Choose a token filter          [ assigned | unassigned | (both) ]: both
What action do you wish to perform?           [ (list) | modify ]: modify
Enter type of clock offset value  [ absolute | relative | (none)]: absolute
Enter clock offset value                                      [0]: 0

Do you want to reset the Next Tokencode Mode?             [ y/n ]: y
Do you want to reset the last login date and time?        [ y/n ]: n
Do you want to clear user lockout information?            [ y/n ]: y
Enter administrator user ID                                      : admin
Enter administrative password                                    : ***********  

Authenticator Bulk Synchronization Utility am-7.1.0-build20080715085805

Copyright (C) 2008 RSA Security Inc. All rights reserved.  

Started job on Wed Aug 20 10:19:51 EDT 2008 with ID = ims.e07c584ba263650a018d923bd0ac085d  

C:\Program Files\RSA Security\RSA Authentication Manager\utils> 
------------------------------------------------------------------------ 


Output file example

The following example shows the output file c:\sync.txt.

------------------------------------------------------------------------ 
# Authenticator Bulk Synchronization Utility
# (c) 2005-2006 RSA Security Inc.
#
# THIS FILE COULD BE USED AS A SOURCE OF TOKEN SERIAL NUMBERS.
#
# EACH SERIAL NUMBER MUST BE 12 DIGITS IN LENGTH.
#
# SERIAL NUMBERS LESS THAN 12 DIGITS MUST BE PREFIXED WITH ZEROS
# IN ORDER TO MEET THIS LENGTH REQUIREMENT.
#   # UPDATING Token Data [Wed Aug 20 10:59:13 EDT 2008]
#
# Token            Clock   Next Tokencode  Last Login     Principal       Security
# Serial Number    Offset  Mode Status     Date/Time      Lockout Status  Domain 
  000032388427     0       false           None           <unassigned>    SystemDomain

  000032388428     0       false           None           <unassigned>    SystemDomain
  000032388429     0       false           None           <unassigned>    SystemDomain
  000032388430     0       false           None           <unassigned>    SystemDomain
  000032388431     0       false           None           <unassigned>    SystemDomain
  000032388432     0       false           None           <unassigned>    SystemDomain
  000032388433     0       false           None           <unassigned>    SystemDomain
  000027460501     -58     false           None           Unlocked        SystemDomain
  000027460502     0       false           None           <unassigned>    SystemDomain
  000027460503     0       false           None           <unassigned>    SystemDomain
  000027460504     0       false           None           <unassigned>    SystemDomain
  000027460505     0       false           None           <unassigned>    SystemDomain
  000027460506     0       false           None           <unassigned>    SystemDomain
  000027460507     0       false           None           <unassigned>    SystemDomain
  000027460508     0       false           None           <unassigned>    SystemDomain
  000027460509     0       false           None           <unassigned>    SystemDomain
  000027460510     0       false           None           <unassigned>    SystemDomain
  000032388434     0       false           None           <unassigned>    SystemDomain
  000032388435     0       false           None           <unassigned>    SystemDomain
  000032388436     0       false           None           <unassigned>    SystemDomain
  000032388437     0       false           None           <unassigned>    SystemDomain
  000032388438     0       false           None           <unassigned>    SystemDomain
  000032388439     0       false           None           <unassigned>    SystemDomain
  000032388440     0       false           None           <unassigned>    SystemDomain
  000032388441     0       false           None           <unassigned>    SystemDomain 
------------------------------------------------------------------------ 
note
Like version 6.1, you can expand the token authentication window from a normal [+3 -3] minute tolerance to [+10 - 10] minutes from exact time when the server is first started, or restarted. Then after a user’s first authentication, it reverts to a normal +3 -3. This restart procedure may be all that is needed for small server clock changes in the range of 1 to 7 minutes.
When prompted to enter the type of clock offset value, the options are absolute, relative or none.
  • Absolute changes the offset to the defined value. For example if the current offset is 300 and an absolute value of 600 is defined, the new offset becomes 600.
  • Relative changes the current value by the defined value.  If the current offset is 300 and a relative change of 600 is defined, the new offset becomes 900.
  • None makes no changes to the value.
---------------------
a48755 | How to connect to sqlplus to run a custom query or SQL query
Goal
How to connect to sqlplus to run a custom query or SQL query
Fact
Authentication Manager 7.1   7.x
Fix
Command Prompt:
cd to utils directory under RSA_HOME.  Typically \Program Files\RSA Security\RSA Authentication Manager\

1. run the following command
ON WINDOWS
rsautil manage-secrets -a get com.rsa.db.root.password

ON APPLIANCE or Linux:
./rsautil manage-secrets -a get com.rsa.db.root.password
After entering your master password you should have a result which will be used to connect to sqlplus in the next step.
com.rsa.db.root.password: HIKyB0Eobm
. ./rsaenv     (dot space dot/rsaenv
)
Now enter the two commands below
sqlplus sys/<value from step1> as sysdba

Example:
SQL>  sqlplus sys/HIKyB0Eobm as sysdba
-------------
a50886 | Moving pre-RSA Authentication Manager 7.1 SP2 data on a UNIX platform
Fact
RSA Authentication Manager 7.1
RSA Authentication Manager 7.1 SP2
UNIX
migration
Change
moving data from pre-RSA Authentication Manager 7.1 SP2/ RSA Authentication Manager 7.1 SP2 to RSA Authentication Manager 7.1 SP2
Fix
The following steps assume you have a valid backup of a production system (where the production system was using pre-RSA Authentication Manager 7.1 SP2 or RSA Authentication Manager 7.1 SP2 software).

NOTEat this time RSA is investigating why backup data from pre-RSA Authentication Manager 7.1 SP2 software installations does not restore into RSA Authentication Manager 7.1 SP3 software installations.
1)      Install clean RSA Authentication Manager 7.1 SP2 full installation kit – installed using the same administrative accounts and master password as the previous production system to ensure the encrypted IMS data backup restores correctly.

NOTE: using the same fully-qualified hostname and IP address for the new RSA Authentication Manager 7.1 SP2 installation is optional.
2)      Use the RSA Operations Console to configure the RADIUS server.
3)      Stop all RSA Authentication Manager processes.
As the super user ‘root’ navigate to the RSA_AM_HOME/server folder and use the command: ./rsaam stop all

e.g.
[rsaadmin@rham712p server]$ ./rsaam stop all
RSA Authentication Manager:                                [  OK  ]
RSA Authentication Manager Proxy Server:                   [  OK  ]
RSA Authentication Manager Administration Server:          [  OK  ]
RSA Authentication Manager Node Manager:                   [  OK  ]
RSA Authentication Manager Database Server:                [  OK  ]
RSA Authentication Manager Database Listener:              [  OK  ]
RSA Authentication Manager Operations Console:             [  OK  ]
RSA Authentication Manager Radius:                         [  OK  ]
RSA RADIUS Operations Console:                             [  OK  ]
[rsaadmin@rham712p server]


4)      Optional: Start the RSA Authentication Manager Database Listener and RSA Authentication Manager Database Server, as these processes are required to perform an IMS data backup of the new RSA Authentication Manager 7.1 SP2 software installation.
As the super user ‘root’ navigate to the RSA_AM_HOME/server folder and use the command: ./rsaam start db

e.g.
[rsaadmin@rham712p server]$ ./rsaam start db
RSA Authentication Manager Database Listener:              [  OK  ]
RSA Authentication Manager Database Server:                [  OK  ]
[rsaadmin@rham712p server]$

As the user specified for the database installation navigate to the RSA_AM_HOME/utils folder and run the command: ./rsautil manage-backup -a export -D -f /<pathname>/<filename>.dmp

e.g.
[rsaadmin@rham712p utils]$ ./rsautil manage-backup -a export -D -f /sandbox/backups/imsam71sp22May10.dmp
Enter master password: ***********
Operation started : SUN MAY 02 14:31:05 EST 2010
Exporting the user credentials
Exporting the database
Operation completed : SUN MAY 02 14:33:44 EST 2010
[rsaadmin@rham712p utils]$


5)      Use the tar command to archive the RADIUS folder. This tar file could be used later should there be any issues with the RADIUS restore reconfiguration.
As the super user ‘root’ navigate to the RSA_AM_HOME folder and use the following tar command to archive the RADIUS folder:
tar cvf radius_backup.tar radius/*

6)      Start all of the RSA Authentication Manager 7.1 SP2 processes on the new system.
As the super user ‘root’ navigate to the RSA_AM_HOME/server folder and use the command: ./rsaam start all

e.g.
[rsaadmin@rham712p server]$ ./rsaam start all
RSA Authentication Manager Database Listener:              [RUNNING]
RSA Authentication Manager Database Server:                [RUNNING]
RSA Authentication Manager Node Manager:                   [  OK  ]
RSA Authentication Manager Administration Server:          [  OK  ]
RSA Authentication Manager Proxy Server:                   [  OK  ]
RSA Authentication Manager:                                [  OK  ]
RSA Authentication Manager Operations Console:/usr/bin/nohup: appending output to `nohup.out'
                                                           [  OK  ]
RSA Authentication Manager Radius:                         [  OK  ]
RSA RADIUS Operations Console:/usr/bin/nohup: appending output to `nohup.out'
                                                           [  OK  ]
[rsaadmin@rham712p server]$


7)      Restore the IMS data backup from the other/older RSA Authentication Manager 7.1 system.
As the super user ‘root’ stop the RSA Authentication Manager process by using a shell script called ‘rsaam’ from the RSA_AM_HOME/server folder:

e.g.
[root@rham712p server]# ./rsaam stop managed          [Should be rsaam stop all, then rsaam start db]
RSA Authentication Manager:                                [  OK  ]
[root@rham712p server]#

Copy the IMS data backup (a dmp file and a secrets file) into a folder that is accessible by the user specified for the database installation of the RSA Authentication Manager 7.1 SP2 software.

As the user specified for the database installation, navigate to the RSA_AM_HOME/utils folder and run the following commands:
./rsautil setup-replication -a remove-primary
./rsautil manage-backups -a import -D -f /<pathname>/<filename>.dmp
./rsautil setup-replication -a set-primary

e.g.
[rsaadmin@rham712p utils]$ ./rsautil setup-replication -a remove-primary
Enter password: ***********

 Setup Replication ims-2.0.2-build20091007172001
 Copyright (C) 2008 RSA Security Inc. All rights reserved.

 %% Running at: rham712p:[ybecs7lb] %%

 =======================================
 %       Removing a Primary Site       %
 =======================================
 Type     Instance name           Hostname                DBname
 -------- ----------------------- ----------------------- ---------
 Primary  rham712p.bellnet.local  rham712p.bellnet.local  ybecs7lb

 Are you sure you want to remove this primary? (Y/N): y

 %% Starting configuration                             -- Status: Removing queues at [ybecs7lb]
 Done...

[rsaadmin@rham712p utils]$ ./rsautil manage-backups -a import -D -f /sandbox/backups/imsam71sp230Apr10.dmp
Enter master password: ***********
Are you sure you want to import the file and overwrite the existing data in the database?  (Y/N): y
Operation started : SAT MAY 01 17:54:18 EST 2010
Importing the user credentials
Importing the database
Flashback is turned on
Rename URL-based config values
.
.SQL*Plus: Release 10.2.0.4.0 - Production on Sat May 1 18:07:10 2010
.
.Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.
.
.
.Connected to:
.Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Production
.With the Partitioning, Data Mining and Real Application Testing options
.
.***************************************************************************************************
.*
18:07:13 : RSA_REP.IMS_PRINCIPAL_DATA is changed
18:07:13 : RSA_REP.PK_IMS_PRINCIPAL_DATA is changed
18:07:13 : RSA_REP.IDX_IMS_PRINC_DATA_IS_KEY is changed
18:07:13 : RSA_REP.IDX_IMS_PRINC_DATA_UID_IS is changed
18:07:13 : RSA_REP.FBI_IMS_PRINC_DATA_UID is changed
18:07:13 : RSA_BATCHREP.IMS_PRINCIPAL_LOGIN_DATE is changed
18:07:13 : RSA_BATCHREP.PK_IMS_PRINCIPAL_LOGIN_DATE is changed
18:07:13 : RSA_BATCHREP.IDX_IMS_PRINCIPAL_LOGIN_DATE is changed
18:07:13 : RSA_REP.AM_TOKEN is changed
18:07:14 : RSA_REP.IDX_AM_TOKEN_PK is changed
18:07:14 : RSA_REP.IDX_AM_TOKEN_PRINCID_FK is changed
18:07:14 : RSA_REP.IDX_AM_TOKEN_SERIAL_NUMBER_UK is changed
18:07:14 : RSA_REP.IDX_AM_TOKEN_TYPE_TOKEN_FK is changed
18:07:14 : RSA_REP.IDX_SEC_DOM_TOKEN_FK is changed
18:07:14 : RSA_REP.IDX_SW_TKN_DEV_TYP_TKN_FK is changed
18:07:14 : RSA_BATCHREP.AM_TOKEN_OOB is changed
18:07:14 : RSA_BATCHREP.IDX_AM_TOKEN_OOB_PK is changed
18:07:14 : RSA_BATCHREP.IDX_AM_TOKEN_OOB_UTC is changed
.*
.*  The script is executed successfully
.* **************************************************************************************************
.Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Production
.With the Partitioning, Data Mining and Real Application Testing options
Reset the IMS console meta data
.
.SQL*Plus: Release 10.2.0.4.0 - Production on Sat May 1 18:07:23 2010
.
.Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.
.
.
.Connected to:
.Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Production
.With the Partitioning, Data Mining and Real Application Testing options
.
.Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Production
.With the Partitioning, Data Mining and Real Application Testing options
All of data has been imported, and it is OK to start the system.
Operation completed : SAT MAY 01 18:07:24 EST 2010
[rsaadmin@rham712p utils]$ ./rsautil setup-replication -a set-primary
Enter password: ***********

 Setup Replication ims-2.0.2-build20091007172001
 Copyright (C) 2008 RSA Security Inc. All rights reserved.

 %% Running at: rham712p:[ybecs7lb] %%

 =======================================
 %       Setting up Primary Site       %
 =======================================
 [Primary]
 Port      : 2334
 DB name   : ybecs7lb
 DB host   : rham712p.bellnet.local
 Instance  : rham712p.bellnet.local
 Site name : rham712p.bellnet.local

 Is this correct (Y/N): y

 %% Starting configuration                             -- Status: Changing capture retention time [ybecs7 -- Registering primary information
 Done...

[rsaadmin@rham712p utils]$

Start the RSA Authentication Manager process that was stopped earlier: ./rsaam start managed

e.g.
[root@rham712p server]# ./rsaam start managed
RSA Authentication Manager Database Listener:              [RUNNING]
RSA Authentication Manager Database Server:                [RUNNING]
RSA Authentication Manager Node Manager:                   [RUNNING]
RSA Authentication Manager Administration Server:          [RUNNING]
RSA Authentication Manager Proxy Server:                   [RUNNING]
RSA Authentication Manager:                                [  OK  ]
[root@rham712p server]#


8)      As the super user ‘root’ reconfigure RADIUS at the command line.
As the super user ‘root’ navigate to the RSA_AM_HOME/config folder and use the ‘configUtil.sh’ command to reconfigure RADIUS.

e.g.
[root@rham712p RSAAuthenticationManager]# cd config
[root@rham712p config]# ./configUtil.sh configure radius finalize-radius-restore
[root@rham712p config]#


If you encounter the following error:
Action configure
Product radius
Module finalize-radius-restore
JVM_HOME=/usr/local/RSASecurity/RSAAuthenticationManager/appserver/jdk
readSecrets PropDir: /usr/local/RSASecurity/RSAAuthenticationManager/utils/etc
Action: start
Using service/script 'Steel-Belted Radius'/'radiuswrapper.bin'
Starting RADIUS Service...
Checking XUI Connection...
Done.
RADIUS Server Cert Generation: SUCCESS
RADIUS Server Cert Install: SUCCESS
RemoteCommand: Properties dir: /usr/local/RSASecurity/RSAAuthenticationManager/utils/etc
RemoteCommand: Connecting to Local AM as rsaadmin
RemoteCommand: Error Initializing CommandProxy: com.rsa.ims.authn.AuthenticationException: Access Denied
Configuration failed
Exiting...

..use knowledge article a48690 - How to determine the password of the superadmin account used by configUtils.

9)      Use the RSA Operations Console and RSA Security Console to check the integrity of the restored database and check the RADIUS configuration.

i) Use the RSA Operations Console > Deployment Configuration > RADIUS > Manage Existing > {select} Server Name and Manage RADIUS Server.

ii) Use the RSA Security Console > RADIUS > RADIUS Servers > {select} Server Name and select Edit.
Please contact RSA Customer Support should you still have issues with the database migration.
-----------------
a52398 | Agent does not auto-register with the RSA Authentication Manager
Fact
RSA Authentication Manager 7.1
RSA Authentication Agent for Windows
Auto-registration
Auto Registration
Migration
Symptom
RSA Authentication Agent for Windows does not auto-register with the RSA Authentication Manager
Nothing appears in the real-time authentication activity monitor
Change
RSA Authentication Manager 6.1 database was migrated to RSA Authentication Manager 7.1 SP2 (or RSA SecurID Appliance 3.0 SP2)
Cause
The server certificate (server.cer) used by the RSA Authentication Agent for Windows does not match the RSA Authentication Manager to allow SSL connectivity
Fix
To complete the migration and to allow the agent auto-registration program to update the agent host record in the authentication manager database the agent server certificate (server.cer) located in the “C:\Program Files\RSA Security\RSA Authentication Agent\Agenthost Autoreg Utility” folder must be replaced with the server certificate from the license files used by the RSA Authentication Manager 7.1 SP2 software installation.
IMPORTANT NOTE: ensure the RSA Authentication Manger 7.1 software has RSA Authentication Manager 7.1 Service Pack 3applied (or RSA SecurID Appliance 3.0 Service Pack 3 for an RSA SecurID Appliance 3.0 as it contains a fix for auto-registration).
Also, edit the agent host record and unprotect the IP address of the agent or remove the agent host record from the authentication manager database so the agent can register itself with an unprotected IP address.
Changes to agent host records are done via the RSA Security Console > Access > Authentication Agents > Manage Existing – search Unrestricted or Restricted for the agent host record.
 
-------------

a48654 | RADIUS migration from Authentication Manager 6.1 to Authentication Manager 7.1 SP2
Goal
Migrate RADIUS from Authentication Manager 6.1 to Authentication Manager 7.1 SP2
Fact
Authentication Manager 7.1 SP2
Appliance 3.0 SP2
RADIUS Migration
Fix
This knowledge article assumes you have already installed your RSA Authentication Manager 7.1 SP2 and have configured RSA RADIUS correctly following the RSA Authentication Manager 7.1 installation guide.

Below is how to correctly migrate your RSA RADIUS 6.1 data using the RADIUS export utility from the RSA Authentication Manager 7.1 SP2 full installer kit:

1. Navigate through the RSA Authentication Manager 7.1 SP2 installation media to the client/util/ folder and copyam61RADIUSExportUtility.zip file to the Authentication Manager 6.1 Primary server and unpack the file into a working directory (e.g. C:\amsoftware)
2. On the Authentication Manager 6.1 server, go to the command line and navigate to the directory you unpacked the am61RADIUSExportUtility.zip file

type: patchRemoteAdmin.bat

3. press ENTER
4. type "y" followed by ENTER
5. Type the path to the case installation directory e.g. C:\Program Files\RSA Security\RSA Authentication Manager
6. Press ENTER but do not go any further with the patchRemoteAdmin at the command line for the moment.

7. When prompted, on the Windows desktop do one of the following:
• For Authentication Manager on the local host machine, click Start > Programs > RSA Security > RSA Authentication Manager Host Mode to open the Authentication Manager 6.1 Administration client.
• For Authentication Manager on a remote host machine, click Start > Programs > RSA Security > RSA Authentication Manager Remote Mode. Log on to the remote host machine to open the Authentication Manager 6.1  Administration client
8. Select RADIUS > Manage RADIUS Server. The RSA AM6.1 Export utility box open
9. Select " Generate package"
10. When the export is complete, Authentication Manager 6.1 Export Utility dialog box displays the location of the RADIUS migration package file, <RSA_AM_HOME>\prog\radius\Admin

11. Back with the patchRemoteAdmin type "Y" and press ENTER on the "Have you completed the export operation and are ready to restore the client to its original state."
12. "Do you really want to remove this update?" type "Y"
13. Close the command prompt

<!--[endif]-->
Here is an example of running patchRemoteAdmin.bat at the command line:

C:\software\am61RADIUSExportUtility>patchRemoteAdmin.bat
###########################################################################################
[INFO] To run this script, you must be an RSA Authentication Manager 6.1 administrator
[INFO] This script enables your remote administration client to export RADIUS data from an Authentication Manager 6.1 installation.
[INFO] This script temporarily alters the functionality of your Remote Administration client.
[INFO] After exporting the RADIUS data, the script gives you the option to restore administrative functionality to this Remote Administration client.
###########################################################################################
Do you really want to continue (Y/N)? y
Enter the installation directory of the RSA Authentication Manager Remote Database Administration client: ("C:\Program Files\RSA Security\RSA Authentication Manager") : <ENTER>
3 File(s) copied
1 File(s) copied
1 File(s) copied
1 File(s) copied
[INFO] "AM6.1 RADIUS export patch applied successfully"
###########################################################################################
[INFO] Installation of the RSA Radius Data Export utility is complete.
You can now run the utility to create the RADIUS migration package.
do the following now:
-- Log on to the Remote Administration client
-- click RADIUS menu and select Manage RADIUS server menu option
-- click export to start the export process
###########################################################################################
 If you have generated the RADIUS migration package, do you want to restore administrative functionality to this Remote Administration client? (Y/N)? y
###########################################################################################
[INFO] It is assumed that you have exported RADIUS server data from your AM 6.1
[INFO] RSA Security recommends that you remove the export functionality from this Remote Administration client, after generating the migration package. If you do not remove the export functionality, you cannot remotely administer your Authentication Manager 6.1 from this Remote
Administration client.
###########################################################################################
Do you want to remove the export functionality from this Remote Administration client (Y/N)? y
[INFO] RSA RADIUS 6.1 Export functionality has been successfully removed and administrative functionality has been restored.

C:\Program Files\RSA Security\RSA Authentication Manager\prog\radius\Admin>


Using the RSA Operations Console to migrate the RSA RADIUS 6.1 data files

To migrate the RSA RADIUS 6.1 data files on the primary instance:

1. On the primary instance, launch and log on to the RSA Operations Console with an administrative user account.
2. Click Deployment Configuration > Migration > RADIUS Database.
3. On the Additional Credentials Required page, enter the current Super Admin User ID and password. Click OK.
4. On the RADIUS Server Migration page, browse to the location of the RADIUS migration package file

[You generate the RSA RADIUS migration package file before you install the primary instance. For more information, see “Creating a RADIUS Migration Package File” on page 67 of the AM7.1 Migration guide.]

5. Click Start Migration.
6. Click Done.
7. Use the RSA Security Console to force replication to all RADIUS replica servers:
  a. On the primary instance, launch and log on to the RSA Security Console.
  b. Click RADIUS > RADIUS Servers.
  c. Click Force Replication to All.
note
In order to migrate RADIUS, you need to create a RADIUS migration file using the RADIUS Export utility provided on the RSA Authentication Manager 7.1 installation media.

This tool is found in the /root_directory/client/util/am61RADIUSExportUtility.zip
See a48564 for additional information.
-----------
a41394 | Problem migrating 6.1 database to Authentication Manager 7.1
Fact
Authentication Manager 7.1
Symptom
Error: "Migration did not complete successfully. Review the migration report or logs for details about the issue. Migration can be re-run and will ignore any information already migrated."
Error: "failed to add domain object TOKEN"
Cause
An expired token is assigned to a user in the 6.1 database, and cannot be migrated. This is possibly a bug, and is being examined.
Fix
Workaround:
Examine the migrate.log file, and look for the last token created, it will look something like
Token "000012345678" created
This is the last token to be successfully imported. Edit the NEXT token in the 6.1 database (assuming the serial number is one more) to verify this token is assigned and expired, and unassign it. Repeat the dump from 6.1, and migrate to 7.1  with the new dumpfile. 
On the 6.1 database, run the report  Token > List Tokens > A range of tokens by expiration. Select Tokens that will expire in the next (30) days (or some other number as appropriate), and put a check in the box "Include tokens that expired before today." If there are several expired (or expiring)  tokens still assigned to users in the 6.1 database, The RSA Administrator should consider a plan to unassign these tokens. This plan may include replacing some/all of these tokens. Once no more users have expired/expiring tokens assigned to them, repeat the dump of the 6.1 database, and repeat the migration to 7.1 .
note
On a related issue, run the report Token > List Tokens > All tokens with replacements. If the AM6.1 database has users with both Original and Replacement tokens, it is suggested that these users be contacted, and asked to authenticate with the replacement token, to cause the Original token to be unassigned.  If these users cannot be reached, as an alternative, the administrator can unassign the Original token from the user.

-------------------
a42841 | 7.1: Unable to promote a replica radius server to be a primary using disaster recover method
Goal
Unable to promote a replica radius server to be a primary using disaster recover method
Fact
Authentication Manager 7.1
Radius
Symptom
Error message when trying to promote the replica radius server, "Sorry, your request cannot be processed at this time.  There was a problem processing your request  An unknown system error occurred"
Cause
There are two methods for promotion of a replica Radius to be a primary.  If the primary Authentication Manager is up you can just log onto the Primary's Authentication Manager Operations Console and manage RADIUS replica and select promote.  If the primary server is not available (disaster recovery option) you will need to promote an Authentication Manager replica server to be the primary first, then promote the RADIUS server through the newly promoted primary's Operations console.  The instructions in the install guide starting on page 221 do work, but there are a couple of things that may have been overlooked.  Please follow the instructions below:
Fix
1. Promote the Authentication Manager replica to be a primary by logging into the RSA Operation Console and choosing Promote
2. On the new Primary cd to RSA Security\RSA Authentication Manager\radiusoc\utils and run "rsautil manage-secrets -a set com.rsa.radius.oc.cert.cn.1 NewPrimary.domain.com"
3. Verify the setting took by running "rsautil manage-secrets -a get com.rsa.radius.oc.cert.cn.1"
4. Restart all RSA services on server (new primary)
5. Make sure the Local Radius admins password matches that in the Authentication Manager. To do this find the RADIUS user by right-clicking on My Computer > Manage > Local Users, then go into Authentication Manager Security Console --> RADIUS --> RADIUS Servers --> select the replica --> edit. You will see the username under RADIUS Admin User Name. Change the local user password and the password on this page so that they match, then hit save.
6. Logon to the RSA Operation Console and choose Deployment Configuration --> RADIUS --> Manage existing, then choose the replica and select Promote Replica to become new Primary.
note
This process will not work if your run the rsautil command from RSA Authentication Manager\utils.  You need to be in radiusoc\utils.

-------
a42294 | RSA RADIUS 7.1 replication not working after replica installation
Goal
Enabling RSA RADIUS 7.1 replication between Primary and Replica
Fact
Authentication Manager 7.1
SBR Radius 7.1
Symptom
<date> <time> CRadConfigServerProviderPost::ExecutePost unknown managed server spec: <replica_fqdn>
<date> <time> CRadManagedServerUpdate::ProcessPackage CCM error: disabled replica server '<replica_fqdn>'
<date> <time> CRadManagedServerUpdate::DownloadPackage exceeded iterations limit while communicating with CCM <primary_fqdn>
Change
RSA Authentication Manager 7.1 replica installed with RSA RADIUS 7.1 where a radius replication package was not used during installation
Fix
Further steps are required to enable the radius replica and force the radius primary to publish a replication package to the replica.

1)       By default the primary replication option ‘Enable replication of the primary RADIUS server’ is enabled but the primary replication status is ‘Primary: unpublished’

2)       Enable the option ‘Enable the  server for replication with the primary RADIUS server’ as by default the Replication status of the replica is ‘Replica: disabled’

Enable: Security Console > RADIUS > RADIUS Servers > {left-click the replica server name} > Edit > {check} Enable the  server for replication with the primary RADIUS server > {click} Save

3)       Next, force replication for each radius server, primary first and then replica.

Primary: Security Console on primary > RADIUS > RADIUS Servers > {left-click the primary server name} > {click} Force Replication

Replica: Security Console on primary > RADIUS > RADIUS Servers > {left-click the replica server name} > {click} Force Replication  --  this will change the Replication status of the replica is ‘Replica: unpublished’

4)       Lastly, use Security Console > RADIUS > RADIUS Servers > {click} Force Replication to All button

* this will change the Replication Status for the primary and replica RADIUS servers to Primary: up-to-date and Replica: up-to-date

Typical messages seen in the RSA RADIUS log (e.g. yyyymmdd.log) located in the <inst_dir>\RSA Authentication Manager\radius\Service directory:

<date> <time> Publishing package packages\1222403881_SBR.ccmpkg stamp 1222403881 server <primary_fqdn>
<date> <time> Publishing package packages\1222403881_SBR.ccmpkg stamp 1222403881 server <replica_fqdn>
<date> <time> CRadConfigManagedServerHTTPNotification::NotifyTarget <replica_fqdn> address <replica_IP_address> port 1812 url /ccm-update
  
5)       Ensure the RSA RADIUS 7.1 process is running on both the primary and replica before performing authentication tests

A useful RADIUS test client is available from URL http://www.mastersoft-group.com/download/ - product to choose is the ‘NTRadPing  RADIUS Test Utility (Free)’

Please refer to knowledge article 'RADIUS authentication test with RSA RADIUS 7.1' to test RSA RADIUS 7.1 authentications or contact RSA Customer Support if you are still experiencing technical issues with RSA RADIUS replication.

-----------------
a45224 | RSA Authentication Manager 7.1 replica RADIUS server does not authenticate when the primary server is down
Goal
Troubleshoot communication authentication errors on the RSA Authentication Manager 7.1 replica RADIUS server that occur when the primary server is down
Fact
RSA Authentication Manager 7.1
RSA SecurID Appliance 3.0
RSA Authentication Manager 7.1 RADIUS
Symptom
Replica RADIUS log shows messages that are similar to the following:
03/14/2009 13:27:19 Failed to initialize communications for SecurID authentication (result = 23)
03/14/2009 13:27:19 Unable to find user jgracias with matching password
03/14/2009 13:27:19 Sent reject response
Cause
The sdconf.rec file on the replica Authentication Manager 7.1 RADIUS server does not contain replica server information. This can happen if the RSA Authentication Manager servers are not rebalanced before the replica RADIUS server is configured. To resolve this issue, you must update the sdconf.rec file on the replica RSA Authentication Manager 7.1 RADIUS server.
Fix
RSA Authentication Manager 7.1 replica RADIUS server does not authenticate when the primary server is down

To resolve communication authentication errors on the replica RADIUS server, update the sdconf.rec file on the replica RSA Authentication Manager 7.1 RADIUS server.

To update the sdconf.rec file on the replica RSA Authentication Manager 7.1 RADIUS server:
  1. Generate and download the sdconf.rec file on the primary RSA Authentication Manager 7.1 RADIUS server:

    a. Log on to the RSA Security Console.


    b. Select Access > Authentication Agents > Authentication Manager Contact List > Automatic Rebalance.


    c. Click Rebalance. You should see the primary and replica server(s) listed. (This step updates the contact list.)


    d. Generate and download a new sdconf.rec file. In the Security Console, go to Access > Authentication Agents > Generate Configuration File. Follow the prompts to download the file.
  2. Update the sdconf.rec file on the replica Authentication Manager 7.1 RADIUS server:

    a. Place the newly generated sdconf.rec in the directory.  This file needs to be in the following location:
    • Windows: C:\Windows\System32
    • UNIX-based systems: /var/ace
    • Appliance: /usr/local/RSASecurity/RSAAuthenticationManager/radius/
    See the section below for special instructions on moving the file to an Appliance.

    b. Delete the sdstatus.12 file located on the server.

    c. Stop and restart the RSA RADIUS Server. On Windows, use the Windows Services applet, or on UNIX or the Appliance, run the following command in the same line:
    /usr/local/RSASecurity/RSAAuthenticationManager/server/rsaam restart radius
  3. Launch the agent and test authentication.
  4. Log on to the Security Console, check and select Setup > Instances. Verify that replica servers are listed and that their status is Running.
note
To move the sdconf.rec file to an Appliance:
  1. On the Appliance, copy the sdconf.rec file to the /tmp directory with a secure copy program using the emcsrv account and the Operating System password.
  2. Log on to the Appliance using an SSH client, and run the following commands:
    sudo su
    cd /tmp
    chmod 755 sdconf.rec
  3. Copy the sdconf.rec file from the /tmp directory to the following location:
    /usr/local/RSASecurity/RSAAuthenticationManager/radius/
If you are not using RSA RADIUS, see solution a45223.
----------
a45223 | RSA authentication agent authenticating only to the Authentication Manager 7.1 primary
Goal
The RSA agent should authenticate to the replica Authentication Manager server if the primary server is down. The RSA agent should display all Available Authentication Servers when checking the Server Status.
Fact
RSA Authentication Manager 7.1
SP2
Appliance 3.0
RSA Windows Agent
Symptom
RSA agent only authentication to the Authentication Manager 7.1 primary
On the agent, the Server Status only displays the primary server instead of all available Authentication Servers
Cause
The sdconf.rec file does not contain information on the Authentication Manager replica.
Fix
To update the list in the configuration File, follow the following steps:
On the primary Authentication Manager 7.1 server: 
1. Login to the Security Console.  Select Access > Authentication Agents > Authentication Manager Contact List > Automatic Rebalance.
2. Click on the Rebalance Option. You should see the primary and replica server(s) listed.
3. Generate a new configuration file.  From the Security Console select Access > Authentication Agents > Generate Configuration File. Generate and download a new sdconf.rec file.
 On the agent machine:
1. Delete the sdstatus.12 file from C:\Windows\System32
2. Place the newly generated sdconf.rec in the directory.
3. Launch the agent and test authentication.
4. Refresh the agent by closing the agent and launching it again.
5. Go to Local > Server Environment > Server Status to see if the replica server(s) are listed.
       You should now be able to authenticate to the replica server

-------------
a42378 | RADIUS authentication test with RSA RADIUS 7.1
Fact
RSA Authentication Manager 7.1
RSA RADIUS 7.1
RADIUS authentication
Authentication Test 
RADIUS Authentication Test
Symptom
Security Console Authentication Monitor displays the following message after a RADIUS authentication:
Date & Time
<date & time>
Log Level
ERROR
Activity Key
Principal authentication
Description
User “rsalocaltest” attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain “SystemDomain”
Action Result Key
Failure
Result Key
AUTH_METHOD_FAILED
Result
Authentication Method failed
User ID
<user ID>
RSA RADIUS 7.1 log file reports 'Authentication Response (reject)'
RSA RADIUS 7.1 log files reports 'Unable to find user rsalocaltest with matching password'
NTRADping RADIUS Server reply:
Sending authentication request to server <IP address of RSA RADIUS 7.1 server:port>
Transmitting packet, code=nn id=nn length=nnn
received response from the server in nnnn milliseconds
reply packet code=nn id=nn length=nnn
response: Access-Reject
----------------------------attribute dump-----------------------------

Fix
Here is a test for RSA RADIUS 7.1 with an internal database user with a fixed PASSCODE and a RADIUS test client called NTRADPing.

1)       Download NTRADping – a free RADIUS test client from URL http://www.mastersoft-group.com/download/

 - unzip the file in to a working directory e.g. C:\temp\NTRADping
2)       Add a test user to the RSA Authentication Manager 7.1 Internal Database

RSA Security Console > Identity > Users > Add New

in the form:
Identity Source
select Internal Database
Last Name
rsalocaltest
User ID
rsalocaltest
Password
<enter a password>
Confirm Password
<enter a password as above>
Force Password Change
uncheck ‘Require use to change password at next logon’

click {Save} button

3)       Assign Authentication Settings to the user ‘rsalocaltest’

RSA Security Console > Identity > Users > Manage Existing
SecurityDomain
SystemDomain
Identity Source
Internal Database
For
All Users
Where
Last Name  starts with  rsalocaltest

click {Search} button

Left click the user name and select Authentication Settings
4)       in the form:
Fixed Passcode
check ‘Allow authentication with a fixed passcode’
Fixed Passcode
<enter a passcode> e.g. 12345678
Confirm Fixed Passcode
<enter a passcode as above> e.g. 12345678

click {Save} button

5)       Ensure there is an unrestricted agent configured for the system the RADIUS test client NTRADping is being used on:

RSA Security Console > Access > Authentication Agents > Manage Existing

If there is no agent defined then use the {Add New} button to create one and ensure Agent May Be Accessed by All Users

in the form:
Security Domain
SystemDomain
Hostname
<hostname>
IP Address
<IP address>
Agent May be Accessed by
All Users {default setting}

click {Save} button

6)       Ensure there is a defined RADIUS Client for the system NTRADping is being used on:

RSA Security Console > RADIUS > RADIUS Clients > Manage Existing

If there is no RADIUS client defined then use the {Add New} button
Client Name
<enter resolvable name>
IP Address
<enter IP address>
Make/Model
- Standard Radius -
Shared Secret
1234 <this MUST match the RADIUS Secret key in NTRADping>

click {Save without RSA Agent} button

7)       Here is a typical example of the configuraiton in the RADIUS test client NTRADping:

RADIUS Server/port
<IP address of RSA RADIUS 7.1 server> <port>
Reply timeout (sec)
3
Retries
2
RADIUS Secret key
1234 <this MUST match the Shared Secret in the RADIUS Client>
User-Name
rsalocaltest
Password
<fixed passcode>
CHAP
<leave unchecked>
Request Type
Authentication Request
Additional RADIUS Attributes
<leave blank>

click {Send} button

RADIUS Server reply:
Sending authentication request to server <IP address of RSA RADIUS 7.1 server:port>
Transmitting packet, code=nn id=nn length=nnn
received response from the server in nnnn milliseconds
reply packet code=nn id=nn length=nnn
response: Access-Challenge
----------------------------attribute dump-----------------------------
Prompt=No-Echo
Reply-Message=\0x0d\0x0a Enter your new PIN, containing 4 to 8 c
State=SBR-CH 4|1\0x00

Please note: NTRADping can do New PIN Mode and the response will be Access-Challenge. see solution a52716 on how to do this.
This is expected and if this user was not in New Pin Mode the RADIUS Server reply would be as follows:

RADIUS Server reply:
Sending authentication request to server <IP address of RSA RADIUS 7.1 server:port>
Transmitting packet, code=nn id=nn length=nnn
received response from the server in nnnn milliseconds
reply packet code=nn id=nn length=nnn
response: Access-Accept
----------------------------attribute dump-----------------------------
Class=2SBRCL\0xd4\0x80\0xdd\0xad\0x94\0x8d\0x80\0xbe\oxd8\

Please refer to  knowledge article 'Enabling RSA RADIUS 7.1 replication between Primary and Replica RSA RADIUS' to complete an RSA RADIUS 7.1 primary and replica configuraiton before performing RSA RADIUS 7.1 authentication testing.
Contact RSA Customer Support if you still require further assistance with RSA RADIUS 7.1 configurations and authentication testing.
--------------
a42294 | RSA RADIUS 7.1 replication not working after replica installation
Goal
Enabling RSA RADIUS 7.1 replication between Primary and Replica
Fact
Authentication Manager 7.1
SBR Radius 7.1
Symptom
<date> <time> CRadConfigServerProviderPost::ExecutePost unknown managed server spec: <replica_fqdn>
<date> <time> CRadManagedServerUpdate::ProcessPackage CCM error: disabled replica server '<replica_fqdn>'
<date> <time> CRadManagedServerUpdate::DownloadPackage exceeded iterations limit while communicating with CCM <primary_fqdn>
Change
RSA Authentication Manager 7.1 replica installed with RSA RADIUS 7.1 where a radius replication package was not used during installation
Fix
Further steps are required to enable the radius replica and force the radius primary to publish a replication package to the replica.

1)       By default the primary replication option ‘Enable replication of the primary RADIUS server’ is enabled but the primary replication status is ‘Primary: unpublished’

2)       Enable the option ‘Enable the  server for replication with the primary RADIUS server’ as by default the Replication status of the replica is ‘Replica: disabled’

Enable: Security Console > RADIUS > RADIUS Servers > {left-click the replica server name} > Edit > {check} Enable the  server for replication with the primary RADIUS server > {click} Save

3)       Next, force replication for each radius server, primary first and then replica.

Primary: Security Console on primary > RADIUS > RADIUS Servers > {left-click the primary server name} > {click} Force Replication

Replica: Security Console on primary > RADIUS > RADIUS Servers > {left-click the replica server name} > {click} Force Replication  --  this will change the Replication status of the replica is ‘Replica: unpublished’

4)       Lastly, use Security Console > RADIUS > RADIUS Servers > {click} Force Replication to All button

* this will change the Replication Status for the primary and replica RADIUS servers to Primary: up-to-date and Replica: up-to-date

Typical messages seen in the RSA RADIUS log (e.g. yyyymmdd.log) located in the <inst_dir>\RSA Authentication Manager\radius\Service directory:

<date> <time> Publishing package packages\1222403881_SBR.ccmpkg stamp 1222403881 server <primary_fqdn>
<date> <time> Publishing package packages\1222403881_SBR.ccmpkg stamp 1222403881 server <replica_fqdn>
<date> <time> CRadConfigManagedServerHTTPNotification::NotifyTarget <replica_fqdn> address <replica_IP_address> port 1812 url /ccm-update
  
5)       Ensure the RSA RADIUS 7.1 process is running on both the primary and replica before performing authentication tests

A useful RADIUS test client is available from URL http://www.mastersoft-group.com/download/ - product to choose is the ‘NTRadPing  RADIUS Test Utility (Free)’

Please refer to knowledge article 'RADIUS authentication test with RSA RADIUS 7.1' to test RSA RADIUS 7.1 authentications or contact RSA Customer Support if you are still experiencing technical issues with RSA RADIUS replication.
-----------------
a40226 | Replica Authentication Manager and Radius servers installs fail
Fact
RSA Authentication Manager 7.1
Symptom
Replica database and Radius server installs fail
installation of RSA RADIUS replica fails
Installation of RSA Authentication Manager 7.1 replica fails
Cause
There are a few possible causes:

1.  The name resolution between the servers is not correct.  Note that all servers in the deployment must be able to resolve each other using Alias, FQDN and IP, forwards and reverse.
2.  The servers need to be able to route their communications to the primary interface of the Primary.  The IP address that was specified during install of the Primary is the IP that all Replicas and Radius servers need to use to contact the Primary.
3.  The time on the servers is not consistent.  All server in the deployment should be within 15 seconds of each other.  After install the Adjudicator communication between the servers will manage this, but at install the time needs to be accurate.
4.  NAT is not configured correctly, meaning that the proper Alias addresses have not been configured for the servers.  See the install and admin guide for notes regarding NAT.