How to Troubleshoot Authentication Manager Security Console trusted Host Alias whitelist problems
Article Number
Applies To
Security Console Access
https://<Primary_FQDN>:7004/console-ims/
Issue
https://ny-secdev-1192-01.company.com:7004/console-ims/
or
https://ny-secdev-1192-01.company.com/sc
A Security Console Alias is just another way to logon to the Security Console, the most common alias being the short name, e.g.
https://ny-secdev-1192-01.company.com:7004/console-ims/
or
https://ny-secdev-1192-01.company.com/sc
But suppose you wanted a more generic name for your Help Desk Administrators, such as rsaprimary instead of ny-secdev-1192-01, you need a whitelist alias in order for the following URLs to work with the Security console
https://rsaprimary.company.com:7004/console-ims/
or
https://rsaprimary.company.com/sc
You also will need to add the alias to your local /etc/hosts file on the primary and replicas, and you may also need a Subject Alternate Name or SAN in any replacment console certificate (to replace the RSA self-signed Console Cert)
Tasks
1. SSH to Primary Linux with rsaadmin userID and password that was enabled in Operations Console - you only need to do this on the primary, the replicas will be updated automatically by the primary with this information.
2. cd /opt/rsa/am/utils
3. If this is your first whitelist alias, use the following rsautil command to add or create the global whitelist string variable
./rsautil store -a add_config ims.trustedhost.whitelist.custom "AliasNameOfPrimary,AliasNameOfReplica" GLOBAL STRING
If you previously added a whitelist alias, use the following rsautil command to update the ims.trustedhost.whitelist.custom list. You would see an error message if you try to add a global variable the second time, or you would see a message that the global variable does not exist if you try to update when it was never added.
./rsautil store -a update_config ims.trustedhost.whitelist.custom "AliasNameOfPrimary,AliasNameOfReplica" GLOBAL STRING
4. Restart Authentication Manager Services
cd /opt/rsa/am/server
./rsaserv restart all
5. Test access to https://AliasNameOfPrimary:7004/console-ims/
This will add both the custom hostname into the trustedlist and then you can add the alias name for primary and replica in the /etc/hosts file.
Resolution
The Alias needs to resolve to the primary or replica IP, either in local /etc/hosts/ or DNS or both
If replacement console Certificates are used, they would need a SAN entry for the alias
Finally, the ./rsautil store utility does not have an action to list, it has not -a list option, so in order to check if your alias is in the ims.trustedhost.whitelist.custom Global String variable, you need to look inside the internal postgres database. The ims.trustedhost.whitelist.custom field is not documented in the public schema for the AM internal database.
You will need to obtain the database password and use SQL commands to display or modify data - be sure you have a known good database backup before proceeded.
1. SSH to Primary
2. cd /opt/rsa/am/utils
3. ./rsautil manage-secrets -a get com.rsa.db.dba.password
use the com.rsa.db.dba.password to logon to postgres SQL
4. cd ../pgsql/bin
5. ./psql -h localhost -p 7050 -d db -U rsa_dba
6. from the sql db=# prompt, run a select query to see if the alias is included
options include the following select statements
select * from ims_config_value;
To see all field names in this ims_config_value table, to guess what the field is called, possibly 'name', and to see if their alias is listed as a value in this field. Engineering suggested this more precise query.
select * from ims_config_value where name like '%ims.trustedhost.whitelist.custom%';
--------------------------
One very smart customer reported that he dumped the entire DB and was able to locate the entry with this command to find them
/opt/rsa/am/pgsql/bin/psql -t -A -F"|" -h localhost -p 7050 -d db -U <your_db_user> -c 'SELECT * FROM rsa_rep.ims_config_value;' | grep "ims.trustedhost.whitelist.custom"
He had been trying WHERE clauses in the query, but they were causing errors “cross-database references are not implemented” or “column not found ims.trustedhost.whitelist.custom”; so I just settled on doing a grep of the result instead
I believe that what this customer found is consistent with the approach above, where RSA Engineering suggested searching the ims_config_value table (or the copy in the reporting part of the database, rsa_rep.ims_config_value). The % wildcards in the select statement below would have buffered any extraneous characters for the value ims.trustedhost.whitelist.custom
select * from ims_config_value where name like '%ims.trustedhost.whitelist.custom%';
So customer's approach was very similar, grepping for a match on ims.trustedhost.whitelist.custom no matter what extraneous characters were in front or at the end.
It’s those exact matches that kill you!
Notes
See also KB Alias host name redirect to consoles is not working after upgrade to RSA Authentication Manager 8.3 patch 1
and
KB Unable to access RSA Authentication Manager 8.3 Security Console or Operations Console using CNAME or DNS alias
or
KB After an upgrade to RSA Authentication Manager 8.3.patch 1, unable to access Operations Console via IP address
