This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Certificate verification failed and ConfigResponse is not valid for RSA Authentication Agent API 8.5 and later

Article Number

000034031

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent API for C or Java
RSA Version/Condition: 8.5 or later, 8.6, includes RSA Authentication Agent 8.0 for Web configured for TCP authentication 
Platform: Linux

Issue

This article is relevant to authentication to RSA Authentication Manager server using TCP port 5500, not UDP 5500.

Any attempt to authenticate or communicate with the Authentication Manager server fails in the agent log.
  
error SignatureVerifier.cpp 247 The certificate verification failed
error AgentConfigHandler.cpp 135 ConfigResponse is not valid

When authentication is initiated from RSA Authentication Agent API 8.5 or later, the ACEInitialize program reads the sdconf.rec to:
  1. Create bootstrap.xml & root.cer based on what is in sdconf.rec.
  2. Verify the certificate.
  3. Negotiate to exchange message keys.
This failure indicates a problem with reading the certificates used, so message keys cannot be exchanged for encrypted communication and the authentication process goes no further.
 
Image descriptionImage description

Cause

TCP-based agent authentication is based on the agent certificate, which can be viewed in the Security Console under Setup > System.  The image on the left is for Agents. To see the IPv6 settings click the link labeled "To configure agents using IPv6, click here."

Image descriptionImage description

Scroll down to the bottom of the IPv4/IPv6 Agent page to view the Existing Certificate Details.

If you restore a backup from another Authentication Manager 8.x server, you will import a different Agent Certificate, which will not be recognized by the Authentication Manager API 8.5 Agent.
 

Even if the two servers in this example were both Quick Setup with same name and IP, unless they are VM clones they do not have the same agent certificate.

Resolution

There are two possible solutions to this situation:
  1. Import the original agent certificate back into the IPv4/IPv6 page. 
    1. From the Security Console select Setup > System.  
    2. On left is Agents.
    3. Click IPv6 and then click the Choose File button at the bottom of the page.
  2. Generate and download a new sdconf.rec file.
    1. From the Security Console select Access > Authentication Agents > Generate Configuration File). 
    2. Download the AM_Config.zip and extract the sdconf.rec.
    3. On the agent, delete the agent files including bootstrap.xml and root.cer
    4. Place the new sdconf.rec file on the agent.
    5. Try to authenticate again
Image descriptionImage description

The RSA Authentication Manager API 8.5 files are located in /var/ace by default, or configured in the rsa_api.properties file

Workaround

Restore an original backup that was taken on this original RSA Authentication Manager server, not from another RSA Authentication Manager server.
Tags (82)
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 12:33 PM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.