Authentication Manager version 8.5: Failed to register to the FedRamp - Govcloud Cloud Authentication Service
RSA Product Set: RSA SecurID RSA Product/Service Type: Authentication Manager RSA Version/Condition: 8.5.0 Platform: Linux O/S Version: Suse Linux
Register Authentication Manager with Cloud Authentication Service Fails from the AM 8.5 Security Console - Setup - System, Authentication Settings, ERROR: Failed to register to the Cloud Authentication Service An unknown system error occurred. ===imsTrace.log=== 2021-08-09 12:19:52,772, [[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'], (RetriveRootCertificate.java:178), trace.com.rsa.authmgr.integration.via.internal.client.RetriveRootCertificate, FATAL, <primary_FQDN>,,,,Exception while retrieving the root certificate. java.lang.RuntimeException: io.netty.channel.ConnectTimeoutException: connection timed out: access.securidgov.com/22.214.171.124:80
Both connections are essentially the same, though they have slightly different Certificate Trust chains that must be included in an internal .jks key store by Engineering in a specific patch or version of Authentication Manager.
Typical registration failure messages are somewhat clear, like this: Invalid or expired registration code Image description
But when you see unknown system error occurred is the Security Console, and the /opt/rsa/am/server/logs/imsTrace.log shows FATAL, <primary_FQDN>,,,,Exception while retrieving the root certificate. java.lang.RuntimeException: io.netty.channel.ConnectTimeoutException: connection timed out: access.securidgov.com/126.96.36.199:80
The first thing to check is that you have AM 8.5 patch 5.
Authentication Manager, AM version 8.5 patch 5 readme has the following fix. AM-42355. Added support for the FedRAMP domain name securidgov.com to the embedded identity router.
You need AM 8.5 P5 or AM 8.6 P1 or later.
This error sounds and feels like there is a proxy Server controlling access to the Internet, so you could spend time looking at Knowledge Base, KB articles 38668 or 38779, where you add proxy server Certificates to the /opt/rsa/am/server/security/trust.jks with keytool - this is in case the proxy server terminates the SSL connection from within the Corp network and build a new SSL connection to https://access.securid.com or https://access.securidgov.com