RSA Product Set:  SecurID and ID Plus
RSA Product/Service Type:  Authentication Manager and Cloud Access Service
RSA Version/Condition:  Authentication Manager 8.4 patch 4 and higher

Connectivity between Authentication Manager and associated Cloud Access Service tenant is not working.

This is most often due to network traffic from Authentication Manager to the Cloud Access Service being blocked by the on-premise environment.

A helpful troubleshooting step is to try accessing the Cloud Access Service's health.api URL either from a browser on the same subnet as the RSA Authentication Manager or directly from the Authentication Manager using the wget command.

The URL is of the form https://<tenant id>.auth.securid.com/secure-connector-fe/health.api where <tenant id> is the value initially set in the Cloud Administrator Console under My Account > Company Settings > Company Information tab > Company ID field.

Below is an example wget command run from the Authentication Manager command line.  Note that Connection OK is returned if successful.

 See Log On to the Appliance Operating System with SSH for instructions on accessing the Authentication Manager command line:
 

rsaadmin@am84p:~> wget --no-check-certificate https://mycompany.auth.securid.com/secure-connector-fe/health.api
--2019-11-20 18:09:47--  https://mycompany.auth.securid.com/secure-connector-fe/health.api
Resolving mycompany.auth.securid.com (mycompany.auth.securid.com)... 191.237.22.167
Connecting to mycompany.auth.securid.com (mycompany.auth.securid.com)|191.237.22.167|:443... connected.
WARNING: cannot verify mycompany.auth.securid.com's certificate, issued by ‘/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 
2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K’:
  Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response... 200
Length: 13 [text/plain]
Saving to: ‘health.api’

100%[=================================================================================>] 13          --.-K/s   in 0s

2019-11-20 18:09:47 (3.54 MB/s) - ‘health.api’ saved [13/13]

rsaadmin@am84p:~> cat health.api
Connection OK

1. Be sure to confirm that the infrastructure is:

• Not blocking the IP associated with <tenant id>.auth.securid.com .
• Is not filtering *.auth.securid.com or *.access.securid.com URLs.

2. If a wget certificate WARNING indicates that the certificate was issued by a root CA other than DigiCert Global Root G2 and the RSA Authentication Manager logs are showing the message javax.net.ssl.SSLException: Certificate not verified, then ensure that there are no transparent customer proxy devices between the Authentication Manager and the RSA cloud components. 
3. RSA Authentication Manager servers do not currently support proxies (transparent or not) that perform SSL termination. 
4. If a non-transparent proxy is configured for the Authentication Manager then include -e use_proxy=yes -e https_proxy=<proxy hostname>:<proxy port> switches in the wget command.
5. The auth part of the tenant hostname will be auth-eu for European-hosted tenants and auth-anz for APJ hosted tenants.