This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Authentication Manager version 8.5: Failed to register to the FedRamp - Govcloud Cloud Authentication Service

Article Number

000039845

Applies To

RSA Product Set: RSA SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.5.0
Platform: Linux
O/S Version: Suse Linux
 

Issue

Register Authentication Manager with Cloud Authentication Service Fails from the AM 8.5 Security Console - Setup - System, Authentication Settings,
ERROR: Failed to register to the Cloud Authentication Service
An unknown system error occurred.
===imsTrace.log===
2021-08-09 12:19:52,772, [[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'], (RetriveRootCertificate.java:178), trace.com.rsa.authmgr.integration.via.internal.client.RetriveRootCertificate, FATAL, <primary_FQDN>,,,,Exception while retrieving the root certificate.
java.lang.RuntimeException: io.netty.channel.ConnectTimeoutException: connection timed out: access.securidgov.com/20.140.188.86:80


Connection to https://access.securidgov.com from AM Primary and Embedded IDR fails with
FATAL, <primary>.qnet.com,,,,Exception while retrieving the root certificate.
Connection timed out: access.securidgov.com/20.140.188.86:80

Cause

Cloud Authentication Service, CAS connection for AM 8.x server and/or embedded IDR comes in two types:
  1. Original, Non-FedRamp to https://access.securid.com supported since AM 8.3 P1
  2. Newer, FedRamp  to  https://access.securidgov.com which is CAS for Govcloud sites, supported in AM 8.5 P5 and AM 8.6 P1 or later.

Both connections are essentially the same, though they have slightly different Certificate Trust chains that must be included in an internal .jks key store by Engineering in a specific patch or version of Authentication Manager.

Typical registration failure messages are somewhat clear, like this: Invalid or expired registration code
Image descriptionImage description

But when you see unknown system error occurred
is the Security Console, and the /opt/rsa/am/server/logs/imsTrace.log shows 
FATAL, <primary_FQDN>,,,,Exception while retrieving the root certificate.
java.lang.RuntimeException: io.netty.channel.ConnectTimeoutException: connection timed out: access.securidgov.com/20.140.188.86:80

The first thing to check is that you have AM 8.5 patch 5.

Resolution

Authentication Manager, AM version 8.5 patch 5 readme has the following fix.
AM-42355. Added support for the FedRAMP domain name securidgov.com to the embedded identity router.

You need AM 8.5 P5 or AM 8.6 P1 or later.

Notes

This error sounds and feels like there is a proxy Server controlling access to the Internet, so you could spend time looking at Knowledge Base, KB articles 38668 or 38779, where you add proxy server Certificates to the /opt/rsa/am/server/security/trust.jks with keytool - this is in case the proxy server terminates the SSL connection from within the Corp network and build a new SSL connection to https://access.securid.com  or  https://access.securidgov.com
 
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-09-14 11:54 AM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.