VERIFY_ERROR and authentication failure using REST method with RSA Authentication Agent for PAM with RSA Authentication Manager 8.2 SP1 through 8.2 SP1 patch 8
Originally Published: 2020-02-11
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2.1 to 8.2.1.8
Issue
This article is version-specific and relates only to RSA Authentication Manager servers running 8.2 SP1 (8.2.1) to 8.2.1.8 (8.2 SP1 patch 8).
This workaround is provided if you are not in a position to immediately upgrade to RSA Authentication Manager 8.3 and above.
- After enabling the DEBUG for the REST protocol, /var/ace/log/mfa_rest.log shows the following error:
2020-01-27 09:58:31,752 [0x7ff38b8ca8c0] INFO (../src/ConnectionHandler/ConnectionHandler.cpp:444) - The response is {"context":{"authnAttemptId":"5d14599e-7fc5-4dd7-8f2d-9b50cffb1d92","messageId":"23579bf8-e892-40fe-b0a3-ea121e889163","inResponseTo":"dd8e69e4-411d-11ea-a362-005056aadaee"}, "credentialValidationResults":[{"methodId":"SECURID","methodResponseCode":"FAIL","methodReasonCode":"VERIFY_ERROR","authnAttributes":[]}], "attemptResponseCode":"FAIL","attemptReasonCode":"VERIFY_ERROR","challengeMethods":{"challenges":[]}}
- When Configuring Logging, and setting the Trace.log value to Verbose, the error that is shown here is in the /opt/rsa/am/server/logs/imsTrace.log:
2020-02-07 10:08:02,231, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (SecurIDHandler.java:68), trace.com.rsa.authmgr.rest.runtime.SecurIDHandler, INFO, acerest.rsalocal.com,,,,Exception while getting IP Address for the agent 'example.rsatest.local': java.net.UnknownHostException: example.rsatest.local
Cause
- The REST code was populating the Logical Agent IP to the client IP. Because of this, if the Logical Agent IP is not provided, it resolves to some random IP in the environment.
- The REST code after RSA Authentication Manager 8.3 and higher retrieves the client IP from the incoming authentication request and populates it in RSA Authentication Manager.
Resolution
Workaround
- Create an agent using the steps in Deploying an Authentication Agent That Uses the REST Protocol.
- Populate the agent with a logical IP address that the RSA Authentication Manager server can resolve.
- Provide the agent name to all the REST agents and update /var/ace/conf/mfa_api.properties on the client machine with that information.
- Users should now be able to log in to SSH using the REST mode without issue.
Notes
- The RSA Authentication Agent for PAM that is installed with UDP protocol as an operation method works when the user logs in through SSH.
- Nothing is observed in the RSA Authentication Manager authentication activity monitor during user authentication.
- The RSA Authentication Agent 8.0.x for PAM is installed on a supported platform.
- The RSA Authentication Agent 8.0.x for PAM is installed with REST protocol as an operation method, as shown in bold here:
# :: 0 UDP Protocol
# :: 1 SID REST Service
# :: 2 MFA REST Service
# default value is 0
OPERATION_MODE=1
# :: 1 SID REST Service
# :: 2 MFA REST Service
# default value is 0
OPERATION_MODE=1
Related Articles
Where is the RSA Authentication Manager 8.1 SP1 Patch 15 download? Number of Views Refresh the Node Secret Number of Views Applying Authentication Manager 8.7 SP1 patch 1 can remove static routes needed to access the Authentication Manager serve… Number of Views Authenticate with On-Demand Authentication (ODA) using REST API authentication on RSA Authentication Manager 8.x Number of Views AM 8.1 patch upgrade fails with error "Failed to finalize the update" Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8 Deploying RSA Authenticator 6.2.2 for Windows Using DISM Downloading RSA Authentication Manager license files or RSA Software token seed records
Don't see what you're looking for?
