This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
  • RSA.com
  • Home
  • Advisories
    • SecurID
    • SecurID Governance & Lifecycle
  • Documentation
    • SecurID
      • Authentication Agents
        • API / SDK
        • Apache Web Server
        • Citrix StoreFront
        • IIS Web Server
        • MFA Agent for macOS
        • MFA Agent for Windows
        • Microsoft AD FS
        • Microsoft Windows
        • PAM
      • Authentication Engine
      • Authentication Manager
      • Cloud Authentication Service
      • Hardware Appliance
        Component Updates
      • Hardware Tokens
      • Integrations
      • SecurID App
      • SecurID Authenticator for macOS
      • SecurID SDK
      • Software Tokens
        • Android
        • iOS
        • macOS
        • Token Converter
        • Windows
    • SecurID Governance & Lifecycle
    • Technology Partners
  • Downloads
    • SecurID
      • Authentication Agents
        • API / SDK
        • Apache Web Server
        • Citrix StoreFront
        • IIS Web Server
        • MFA Agent for macOS
        • MFA Agent for Windows
        • Microsoft AD FS
        • Microsoft Windows
        • PAM
      • Authentication Engine
      • Authentication Manager
      • Cloud Authentication Service
      • Hardware Appliance
        Component Updates
      • Hardware Tokens
      • Integrations
      • SecurID Authenticator for macOS
      • Software Tokens
        • Android
        • iOS
        • macOS
        • Token Converter
        • Windows
    • SecurID Governance & Lifecycle
  • Community
    • SecurID
      • Blog
      • Discussions
      • Events
      • Idea Exchange
      • Knowledge Base
    • SecurID Governance & Lifecycle
      • Blog
      • Discussions
      • Events
      • Idea Exchange
      • Knowledge Base
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Ideas & Suggestions
      • Community Support Articles
      • Community Support Forum
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Education
    • Blog
    • Browse Courses
      • SecurID
      • SecurID Governance & Lifecycle
    • Certification Program
    • New Product Readiness
    • Student Resources
Sign In Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
  • SecurID Community
  • :
  • Products
  • :
  • SecurID
  • :
  • Knowledge Base
  • :
  • Web Server certificate verification failed with RSA Authentication Agent 8.0 for Web for Apache
  • Options
    • Subscribe to RSS Feed
    • Bookmark
    • Subscribe
    • Email to a Friend
    • Printer Friendly Page
    • Report Inappropriate Content

Web Server certificate verification failed with RSA Authentication Agent 8.0 for Web for Apache

Article Number

000035905

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Web
RSA Version/Condition: 8.x
Platform:  Apache Web Server
 

Issue

The following error is seen in the agent log:
118-00-03 12:38:23 4294967295.3952.2701068096 [E] error SignatureVerifier.cpp 248 The certificate verification failed
118-00-03 12:38:23 4294967295.3952.2701068096 [V] verbose SignatureVerifier.cpp 258 Leaving validateConfiguration()

 

Cause

A certificate resides inside the sdconf.rec file that is only used for TCP based agent connection.

If, at some point, the RSA Authentication Manager server name changed after its initial deployment, that certificate doesn't change (for backward compatibility) and at that point any new TCP agent when trying to connect it finds that the Authentication Manager server has a different name other than the one in the subject name in the current certificate, thus failing.

Resolution

To fix this issue update the sdconf.rec certificate and then generate a new sdconf.rec file with the new certificate.

To get the certificate and update it

  1. On the primary Authentication Manager server, open Internet Explorer and go to https://<primary hostname >:7002.

Port 7002 is used for communication between an Authentication Manager primary and replica instances and for communication between replica instances (for replay detection).

 
  Image descriptionImage description
  1. Click on the Certificate error.
  2. Choose the top certificate and click View Certificate.
  3. Click the Copy To File... button.
  4. Click Next.
  5. Click Next > again.  Be sure to leave the DER encoding format.
  6. Enter a name to save the DER-encoded root certificate.
  7. Login to the Security Console and select Setup > System Settings.  
  8. Under the heading for Authentication Settings, click Agents.  
  9. On the top left of the page click the link where it says To configure agents using IPv6, click here.
  10. Scroll down to the section on Existing Certificate Details.
  11. Click the button next to Import Certificate of the New Primary Server that is labeled Choose File. 
  12. A common dialog box will open.  Browse to the saved certificate, select it and click Open. 
  13. When done, click Update.
  14. Generate a new configuration file (sdconf.rec) for the agent by selecting Access > Authentication Agents > Generate Configuration File > Generate Config File.  
  15. Replace the existing sdconf.rec on the agent with the newly generated sdconf.rec.

Notes

This solution would apply to any TCP-based agent that uses certificates for establishing secure connections.
Tags (68)
  • 8
  • 8.0
  • 8.0.x
  • 8.x
  • Agent
  • Agent API
  • Agent SDK
  • API
  • Auth Agent
  • Authentication Agent
  • Authentication Agent API
  • Authentication Agent SDK
  • Break Fix
  • Break Fix Issue
  • Broken
  • C Language
  • CAS
  • CLI
  • CLI Error
  • CLI Issue
  • CLI Problem
  • Cloud Auth Service
  • Cloud Authentication Service
  • Command Line
  • Command Line Error
  • Command-Line
  • Command-Line Issue
  • Console
  • Console Error
  • Console Issue
  • Console Problem
  • Customer Support Article
  • Error
  • Error Message
  • ID Router
  • Identity Provider
  • Identity Router
  • IdP
  • IDR
  • Issue
  • Issues
  • Java
  • Java Development
  • Java Language
  • KB Article
  • Knowledge Article
  • Knowledge Base
  • Linux
  • PAM
  • Pluggable Authentication Module
  • Problem
  • RSA SecurID
  • RSA SecurID Access
  • RSA SecurID Suite
  • SaaS
  • SDK
  • SecurID
  • SecurID Access
  • SecurID Access Cloud
  • SecurID Agent
  • SecurID Cloud
  • SecurID Suite
  • Software as a Service
  • UNIX
  • Version 8
  • Version 8.0
  • Version 8.0.x
  • Version 8.x
0 Likes
Was this article helpful? Yes No
Share
No ratings

In this article

Version history
Last update:
‎2020-12-12 01:45 PM
Updated by:
Administrator RSA-KB-Sync Administrator

Related Content

Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • Customer Success
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Provide Feedback
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.