Checking Replication in RSA Authentication Manager 8.1 with OpenSSL
Originally Published: 2015-08-24
Article Number
Applies To
| RSA Product Set | SecurID |
| RSA Product/Service Type | RSA Authentication Manager |
| RSA Version/Condition | 8.1 SP1 |
| Platform | SUSE Enterprise Linux |
| Platform (Other) | |
| O/S Version | 11 SP3 |
| Product Name | RSA-0010010 |
| Product Description | SecurID Appliance |
Issue
Tasks
The openssl program is located in /usr/bin folder and can be used to check the ports used for replication between the primary and replica instances. Initially, using openssl with the IP address of the authentication manager instance with a port number checks the flow of traffic between authentication manager instances where using a fully-qualified hostname (FQDN) of the authentication manager instance with a port number checks for name resolution on the network, as well as connectivity to the port specified.
Primary and replica instances can reach each other over ports 7002/TCP, 1812/TCP & 1813/TCP.
| Port | Function | Description |
| 7002 TCP | Authentication Manager | Used for communication between an Authentication Manager primary and replica instances and for communication between replica instances (for replay detection). Used by the RSA application programming interface (API). |
| 1812 TCP | RADIUS replication port | This port is used for communication between primary RADIUS and replica RADIUS services. |
| 1813 TCP | RADIUS administration | This port is used to administer RADIUS from the Security Console over the protected RADIUS remote administration channel. |
Command for port checking: openssl s_client –connect <ip_address>:<port_number>
Example:
rsaadmin@app81p:~> openssl s_client -connect 192.168.31.43:7002 CONNECTED(00000003) depth=1 /CN=RSA root CA for app81p.csau.ap.rsa.net/serialNumber=3ea60e8b3502f5846afd52f4c295e02bc1ebd09f22ad83f5de4bc225ae44bacf verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/CN=app81r.csau.ap.rsa.net/serialNumber=e6206b1164137d8bc40a2df71980fee368938d02d078b3e21074653e731ec25b i:/CN=RSA root CA for app81p.csau.ap.rsa.net/serialNumber=3ea60e8b3502f5846afd52f4c295e02bc1ebd09f22ad83f5de4bc225ae44bacf 1 s:/CN=RSA root CA for app81p.csau.ap.rsa.net/serialNumber=3ea60e8b3502f5846afd52f4c295e02bc1ebd09f22ad83f5de4bc225ae44bacf i:/CN=RSA root CA for app81p.csau.ap.rsa.net/serialNumber=3ea60e8b3502f5846afd52f4c295e02bc1ebd09f22ad83f5de4bc225ae44bacf --- Server certificate -----BEGIN CERTIFICATE----- MIIDgjCCAmqgAwIBAgIQSMEcZC7ZvAbSkTlKENsYmzANBgkqhkiG9w0BAQUFADB8 MS8wLQYDVQQDDCZSU0Egcm9vdCBDQSBmb3IgYXBwODFwLmNzYXUuYXAucnNhLm5l dDFJMEcGA1UEBRNAM2VhNjBlOGIzNTAyZjU4NDZhZmQ1MmY0YzI5NWUwMmJjMWVi ZDA5ZjIyYWQ4M2Y1ZGU0YmMyMjVhZTQ0YmFjZjAeFw0xNTAyMjUwMDA1MDVaFw0z NTAyMjYwMDA1MDVaMGwxHzAdBgNVBAMMFmFwcDgxci5jc2F1LmFwLnJzYS5uZXQx STBHBgNVBAUTQGU2MjA2YjExNjQxMzdkOGJjNDBhMmRmNzE5ODBmZWUzNjg5Mzhk MDJkMDc4YjNlMjEwNzQ2NTNlNzMxZWMyNWIwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCq8LTcOt4ojhC6SGak503Y9l4PHW4MRC4tFO/f0m/yTazLCQnl wrekdILv/MhVNiTgSURcJWASgP/zwPy1aKu7rFi01l7lYOJ9gbUl/9fVGGgklNLX 0PJJcqErlt6GXF6G0MSN5Rd1cu3vY/6Mr8TZOZ31LR2ZA4ZRUGSjemSeCf3PqxuU nIEg6gXivV90F697Cdci47T1xGJAhQ6yRlOrjtvFQ289xiEZvenI3Y56WWRXZa65 i0hkNAQAiBplxCwrmARmU7SSp994nDPwxuICV5z9zrWXsc92k9ZRybsLeUvjc4NA rq1v+GqW4dB/o6++/tiYJ2bO4XbdXtWxZ7rlAgMBAAGjEDAOMAwGA1UdEwEB/wQC MAAwDQYJKoZIhvcNAQEFBQADggEBAAik5UjdTruxtWMt+2ovleyc4IY536KLmnUC P+q2eM6KjUL8iDi7VUhydjNHtGGQcLhSFO7qwGoIvEg5jN6ci2MXCjH5/s8NhWBZ AxnQlA6S/BEBZRbfKZ40JjxubXHR0H/g9k9vF3Rth5zO+3xo2hFwEA8ULkGF60uE owLoJXoAlfx1rIAvASHVH14sTsSYWyrg1PA7cEOmpOgheCJ2e5Yj4hQlHVO9DPDD N8Psw2iMKTdjxhEH+qkgl3SmqKqm7CkUAsSnY9Ws+uNnvlIeRvqEBY1Wysryt5wW 5QWaqgVERHDH6Hoz7E2ipczJ/z5NN4MIlshDtAf0b2om/F6btn4= -----END CERTIFICATE----- subject=/CN=app81r.csau.ap.rsa.net/serialNumber=e6206b1164137d8bc40a2df71980fee368938d02d078b3e21074653e731ec25b issuer=/CN=RSA root CA for app81p.csau.ap.rsa.net/serialNumber=3ea60e8b3502f5846afd52f4c295e02bc1ebd09f22ad83f5de4bc225ae44bacf --- No client certificate CA names sent --- SSL handshake has read 1988 bytes and written 513 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 55DA7F2D4F1A25F05235D2B1277BD4ADA977C20D5253412053534C4A20202020 Session-ID-ctx: Master-Key: 0528DFF44FFEA96217229CD5BB889C88EFE1C238BDCC5565B4414299E1D37AD2D6614308E9D66A35841E4B539C7520C9 Key-Arg : None Start Time: 1440382765 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) ---
Table showing the expected result for the ports on both the primary and replica instances.
| Primary | Replica | Expected Result |
| to replica port 7002 | connect; certificate shown | |
| to replica port 1812 | connect | |
| to replica port 1813 | connect; ssl handshake failure | |
| to primary port 7002 | connect; certificate shown | |
| to primary port 1812 | connect | |
| to primary port 1813 | connect; certificate shown |
Command for FQDN checking: openssl s_client –connect <fqdn>:<port_number>
Example:
rsaadmin@app81p:~> openssl s_client -connect app81r.csau.ap.rsa.net:7002 CONNECTED(00000003) depth=1 /CN=RSA root CA for app81p.csau.ap.rsa.net/serialNumber=3ea60e8b3502f5846afd52f4c295e02bc1ebd09f22ad83f5de4bc225ae44bacf verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/CN=app81r.csau.ap.rsa.net/serialNumber=e6206b1164137d8bc40a2df71980fee368938d02d078b3e21074653e731ec25b i:/CN=RSA root CA for app81p.csau.ap.rsa.net/serialNumber=3ea60e8b3502f5846afd52f4c295e02bc1ebd09f22ad83f5de4bc225ae44bacf 1 s:/CN=RSA root CA for app81p.csau.ap.rsa.net/serialNumber=3ea60e8b3502f5846afd52f4c295e02bc1ebd09f22ad83f5de4bc225ae44bacf i:/CN=RSA root CA for app81p.csau.ap.rsa.net/serialNumber=3ea60e8b3502f5846afd52f4c295e02bc1ebd09f22ad83f5de4bc225ae44bacf --- Server certificate -----BEGIN CERTIFICATE----- MIIDgjCCAmqgAwIBAgIQSMEcZC7ZvAbSkTlKENsYmzANBgkqhkiG9w0BAQUFADB8 MS8wLQYDVQQDDCZSU0Egcm9vdCBDQSBmb3IgYXBwODFwLmNzYXUuYXAucnNhLm5l dDFJMEcGA1UEBRNAM2VhNjBlOGIzNTAyZjU4NDZhZmQ1MmY0YzI5NWUwMmJjMWVi ZDA5ZjIyYWQ4M2Y1ZGU0YmMyMjVhZTQ0YmFjZjAeFw0xNTAyMjUwMDA1MDVaFw0z NTAyMjYwMDA1MDVaMGwxHzAdBgNVBAMMFmFwcDgxci5jc2F1LmFwLnJzYS5uZXQx STBHBgNVBAUTQGU2MjA2YjExNjQxMzdkOGJjNDBhMmRmNzE5ODBmZWUzNjg5Mzhk MDJkMDc4YjNlMjEwNzQ2NTNlNzMxZWMyNWIwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCq8LTcOt4ojhC6SGak503Y9l4PHW4MRC4tFO/f0m/yTazLCQnl wrekdILv/MhVNiTgSURcJWASgP/zwPy1aKu7rFi01l7lYOJ9gbUl/9fVGGgklNLX 0PJJcqErlt6GXF6G0MSN5Rd1cu3vY/6Mr8TZOZ31LR2ZA4ZRUGSjemSeCf3PqxuU nIEg6gXivV90F697Cdci47T1xGJAhQ6yRlOrjtvFQ289xiEZvenI3Y56WWRXZa65 i0hkNAQAiBplxCwrmARmU7SSp994nDPwxuICV5z9zrWXsc92k9ZRybsLeUvjc4NA rq1v+GqW4dB/o6++/tiYJ2bO4XbdXtWxZ7rlAgMBAAGjEDAOMAwGA1UdEwEB/wQC MAAwDQYJKoZIhvcNAQEFBQADggEBAAik5UjdTruxtWMt+2ovleyc4IY536KLmnUC P+q2eM6KjUL8iDi7VUhydjNHtGGQcLhSFO7qwGoIvEg5jN6ci2MXCjH5/s8NhWBZ AxnQlA6S/BEBZRbfKZ40JjxubXHR0H/g9k9vF3Rth5zO+3xo2hFwEA8ULkGF60uE owLoJXoAlfx1rIAvASHVH14sTsSYWyrg1PA7cEOmpOgheCJ2e5Yj4hQlHVO9DPDD N8Psw2iMKTdjxhEH+qkgl3SmqKqm7CkUAsSnY9Ws+uNnvlIeRvqEBY1Wysryt5wW 5QWaqgVERHDH6Hoz7E2ipczJ/z5NN4MIlshDtAf0b2om/F6btn4= -----END CERTIFICATE----- subject=/CN=app81r.csau.ap.rsa.net/serialNumber=e6206b1164137d8bc40a2df71980fee368938d02d078b3e21074653e731ec25b issuer=/CN=RSA root CA for app81p.csau.ap.rsa.net/serialNumber=3ea60e8b3502f5846afd52f4c295e02bc1ebd09f22ad83f5de4bc225ae44bacf --- No client certificate CA names sent --- SSL handshake has read 1988 bytes and written 513 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 55DA7EFC34E2C37D22AB3302BB8D9A904ADCE4B35253412053534C4A20202020 Session-ID-ctx: Master-Key: EF48CE8A91A290A1A1F2195704D58D63B98AEFDCD983974C4CB60247B4602E4EDE21B3BF89C6A1573BFC4F7EDF197FE2 Key-Arg : None Start Time: 1440382716 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) ---
NOTE: should the FQDN checking fail then the workaround is to update the local host (/etc/hosts) file as an account with root privileges on the authentication manager instance, restart the authentication manager services using the rsaadmin account (/opt/rsa/am/server/rsaserv restart all) and perform the FQDN check again with openssl.
Notes
Example:
rsaadmin@app81p:~> openssl s_client -connect app81r.csau.ap.rsa.net:7002
socket: Connection refused
connect:errno=111
rsaadmin@app81p:~>
Contacting RSA Customer Support
| Telephone | For urgent issues use on of the telephone numbers listed at URL http://www.emc.com/support/rsa/contact/phone-numbers.htm |
| For non-urgent issues email support@rsa.com | |
| Case Management | Case Management is found at URL https://knowledge.rsasecurity.com/scolcms/mysupport.aspx (requires access to RSA SecurCare Online) |
Related Articles
What are transaction 'Attempts' and how are they reported? Number of Views BeyondTrust Password Safe - RADIUS Configuration in Authentication Manager - RSA Ready Implementation Guide Number of Views How to Determine RSA Authentication Manager 8.x is using TLS 1.2 Number of Views Check Replication Status Number of Views What is the difference between 'IP address matching' and 'Threshold \Consider if X events come in within Y seconds' corre… Number of Views
Trending Articles
RSA SecurID Software Token 5.0.2 for Windows Desktop displays message after reboot due to roaming profile: No token stor… Downloading RSA Authentication Manager license files or RSA Software token seed records RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026) How to configure RSA Authentication Manager 8.4 or later to send data to multiple remote syslog servers
Don't see what you're looking for?
