RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x

Failed to complete a manual backup with error at Backing up RADIUS:

The Advanced View shows the error below:

Failed to backup RADIUS
Please call customer support.  For erorr details check he Advanced View.

@@@2017-03-12 22:46:08,283 ERROR [serviceExecutor-1] GUILog.traceThrowable(637) | error: 
com.rsa.ims.operationsconsole.admin.taskmgr.TaskExecutionException: Failed to perform a RADIUS backup. 
at com.rsa.ims.operationsconsole.admin.backup.tasks.RadiusBackupTask.execute(RadiusBackupTask.java:100) 
at com.rsa.ims.operationsconsole.admin.backup.tasks.RadiusBackupTask$$FastClassByCGLIB$$2b80a329.invoke(<generated>) 
at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:149) 
at org.springframework.aop.framework.Cglib2AopProxy$CglibMethodInvocation.invokeJoinpoint(Cglib2AopProxy.java:688) 
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) 
at org.springframework.aop.aspectj.AspectJAfterThrowingAdvice.invoke(AspectJAfterThrowingAdvice.java:55) 
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) 
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89) 
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) 
at org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:621) 
at com.rsa.ims.operationsconsole.admin.backup.tasks.RadiusBackupTask$$EnhancerByCGLIB$$dc56e799.execute(<generated>) 
at com.rsa.ims.operationsconsole.admin.backup.scheduler.service.AsyncBackupJobWorkerImpl.execute(AsyncBackupJobWorkerImpl.java:231) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
at java.lang.reflect.Method.invoke(Method.java:597) 
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309) 
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) 
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) 
at org.springframework.aop.interceptor.AsyncExecutionInterceptor$1.call(AsyncExecutionInterceptor.java:81) 
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) 
at java.util.concurrent.FutureTask.run(FutureTask.java:139) 
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895) 
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:919) 
at java.lang.Thread.run(Thread.java:680) 
Caused by: com.rsa.ims.operationsconsole.admin.backup.exception.RadiusBackupException: Failed to backup RADIUS audit log files. IOException occurred. 
at com.rsa.ims.operationsconsole.admin.backup.tasks.RadiusBackupTask.performRadiusAuditBackup(RadiusBackupTask.java:387) 
at com.rsa.ims.operationsconsole.admin.backup.tasks.RadiusBackupTask.execute(RadiusBackupTask.java:92)

The audit log file ownership was root:rsaadmin on both the *.act and * log files in /opt/rsa/am/radius directory.

In this instance the RADIUS configuration in the radius.ini is different from a standard installed configuration file.  
It may be an older RADIUS configuration inherited from the migrated system. For example, the customer has migrated from Authentication Manager 7.1.

It may be that the file owner and other configuration are being set incorrectly because the customer lacks the [AuditLog] section.

[AuditLog]
Enable = 1
LogfilePermissions      = rsaadmin:rsaadmin 600
;DaysToKeep             = 30    ;  1 or greater - Number of days to retain an audit-log file

1. Check if the file ownership is root:rsaadmin as below: 

-rw------- 1 root rsaadmin 1149840 Mar 13 09:44 /opt/rsa/am/radius/20170331.log

2. Change the ownership of the radius file, as shown below: 

sudo chown rsaadmin:rsaadmin /opt/rsa/am/radius/*.act 
sudo chown rsaadmin:rsaadmin /opt/rsa/am/radius/*.log

ll
-rw------- 1 rsaadmin rsaadmin  2261 Mar  1 00:00 /opt/rsa/am/radius/20170331.act
-rw------- 1 rsaadmin rsaadmin 48106 Mar  1 23:52 /opt/rsa/am/radius/20170331.log

3. Be sure to include the [AuditLog] section header in square brackets and remember to restart RADIUS after modifying the config files.

/opt/rsa/am/server/rsaserv restart radius

4. Alternatively, please securely copy the radius.ini file to /tmp on the RSA Authentication Manager primary instance.
5. Open an SSH session and log in as rsaadmin.
6. Type:

mv /opt/rsa/am/radius/radius.ini /opt/rsa/am/radius/radius_old.ini
cp /tmp/radius.ini /opt/rsa/am/radius/radius.ini

7. Please change the permission of the RADIUS configuration file correctly, as shown below.

sudo chmod 644 /opt/rsa/am/radius/radius.ini

8. Type the command below to verify the file ownership and permissions:

ll /opt/rsa/am/radius/radius.ini
-rw-r--r-- 1 rsaadmin rsaadmin 4168 Mar 16 10:22 /opt/rsa/am/radius/radius.ini

9. Then attempt to run either Backup Now or a Scheduled Backup from the Operations Console.
   
   The backup should complete successfully.

The Advanced Status View may return an error:

-rw------- 1 root rsaadmin 36236 May  6 11:17 /opt/rsa/am/radius/vista.log

To resolve, correct the ownership of the /opt/rsa/am/radius/vista.log  to rsaadmin with the following command:

sudo chown rsaadmin:rsaadmin /opt/rsa/am/radius/vista.log
ls -al /opt/rsa/am/radius/vista.log
-rw------- 1 rsaadmin rsaadmin 36236 May 6 11:17 /opt/rsa/am/radius/vista.log

The backup should now complete correctly.