Article Number
000039788
Applies To
RSA Product Set: RSA SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2.1, 8.3, 8.4, 8.5
Issue
- RSA SecurID Authentication API is enabled per the settings mentioned below, all RSA Authentication manager services are running but the authentication API appears to be down.
Configure the RSA SecurID Authentication API for Authentication Agents
- REST API was working before but suddenly stops working. There is no listener on port 5555 on RSA Authentication Manager.
rsaadmin@bharatham85p:~> netstat -an |grep 5555
rsaadmin@bharatham85p:~>
- iptables are good and is 'not' set to DROP port 5555
Cause
Certificate is expired.
The log snipped below is from the biztier.log, located at /opt/rsa/am/server/logs/biztier.log
####<Jul 7, 2021 9:01:01,809 PM UTC> <Error> <Server> <rsaamdevwf1> <biztier> <[ACTIVE] ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <8bd24d2d-6160-478b-86c2-c756c2500eab-00000015> <1625778061809> <[severity-value: 8] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-002606> <The server is unable to create a server socket for listening on channel "AuthnServiceHttpsChannel[1]". The address 0:0:0:0:0:0:0:1%lo might be incorrect or another process is using port 5555: java.io.IOException: Identity certificate has expired:
Resolution
- Generate a new CSR, import the same and activate it. refer Replacing the Console Certificate
- If you have recently updated the AM Primary console cert and facing this issue, REST has a cache of old console cert. To resolve the issue Flush the cache and later Reboot the Appliance
Notes
BiztierServerWrapper.log logs the following upon successful connection establishment.
18627:INFO | jvm 1 | main | 2021/07/08 10:19:22 | <Jul 8, 2021 11:15:19,297 AM EDT> <Notice> <Server> <BBEA-002606> <Channel "AuthnServiceHttpsChannel" is now listening on 192.168.20.152:5555 for protocols https.> where 192.168.20.152 is the IP address of RSA Authentication manager server
