The RSA Authentication Agent for PAM is failing to save the node secret file, called securid in /var/ace.
The RSA Authentication Agent for PAM saves configuration files in /var/ace by default. Directory permissions may need to be altered to allow the node secret file, named securid, to be saved after the first authentication. The first authentication to the Authentication Manager primary instance will create a node secret, store a copy of the node secret in the authentication agent record in the Security Console and send a copy of the node secret to the RSA Authentication Agent for PAM. The real-time authentication activity monitor will show a node secret being sent to an authentication agent.
Ensure that SSH connectivity is enabled to the SecurID Appliance running Authentication Manager 8.x. From the Operation Console select Administration > Operating System Access. Under SSH Settings, check the option to enable eth0 and click Save.
With WinSCP or another file transfer utility, copy the agent_nsload file (for Linux-x86_64) into /var/ace.
Start an SSH session.
Use the command chmod 755 /var/ace/agent_nsload to provide executable permissions.
Login to the Security Console and navigate to Access > Authentication Agents > Manager Existing.
Click on the entry for the PAM agent and select Manage Node Secret.
Check Create a new random node secret, and export the node secret to a file.
When prompted, enter an encryption password and click Save.
With WinSCP or another file transfer utility, copy this <agent_hostname>_NodeSecret.zip file into the /var/ace.
From an SSH session, navigate to /var/ace and unzip the <agent_hostname>_NodeSecret.zip file to access the his will provide nodesecret.rec.
Load the node secret into the agent configuration with command /var/ace/agent_nsload -f /var/ace/nodesecret.rec -d /var/ace. The administrator will be prompted to enter the encryption password from step 6.
Check /var/ace to confirm the existence of the securid file.
From the Security Console, select Reporting > Real TIme Activity Monitors > Authentication Activity Monitor and click Start Monitor.
Perform a test authentication with acetest (by default this will be in /opt/pam/bin/64bit/acetest). It is expected that authentication is successful
Start the real-time authentication activity monitor to troubleshoot any failing authentications
A secure FTP client can be used to copy files to the SecurID Appliance running RSA Authentication Manager 8.x software where ssh is enabled in the Operation Console > Administration > Operating System Access > SSH Settings. Check Interface eth0 > Save