Correcting RSA and LDAP+RSA Problems After Upgrading to 3.0.x

Document ID : KB000009065
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

There is a defect in the 3.0.x migration patch that breaks RSA and LDAP+RSA authentication.  This was brought to the attention of Engineering, but at the time of this writing it is not yet known how or when this will be fixed.  This document explains how to get these authentications working again.  It will be updated when the fix has been created and is available.  Until that time use this document to try to correct the problem.  Please open a Support ticket if the problem remains unresolved.

Environment:
Any system upgraded to 3.0.x on which RSA or LDAP+RSA authentication was working prior to the upgrade.
Resolution:

On the test 2.8.3 system used to gather information for this article the mandatory configuration file was loaded and the optional configuration file was not.

RSAconfig283.PNG

 

After the upgrade to 3.0 the optional configuration file field is populated, but the mandatory file field is empty.

RSAconfig30.PNG

 

After loading the mandatory configuration file, which required that the Node Secret be  RSA and LDAP+RSA authentication still did not work.  Clearing the Node Secret on the RSA server also did not help.  While investigating this with Engineering some a few differences came to light.  The first is that the optional configuration file now seems to be required.  In this case, where it wasn't loaded before the upgrade, the file was actually empty.  If it was deleted, it can be recreated in an ssh debug session, by doing "touch /var/ace/sdopts.rec. 

The second difference is that it is now necessary that the Hostname configured on PAM's Network Configuration page now must match the Hostname configured in the Authentication Agent entry on the RSA server.  In this case the RSA server could not resolve the hostname of the PAM instance.  It contained the IP address.  The PAM Hostname was changed to contain the PAM IP Address.

NetworkConfigOriginal.PNGNetworkConfigUpdated.PNG

At this point RSA and LDAP+RSA authentication still did not work.  Clearing the Node Secret on PAM once more finally resolved the problem.  Bear in mind that you might have to clear the Node Secret on the RSA server as well.

If this document does not enable you to resolve the problem please open a Support Ticket.  We are aware of one occurrence where the problem could not be resolved, because the sdconf.rec could not be uploaded.  This issue is still under investigation.  The document will be updated when this aspect is successfully addressed.