Failover for RSA server

Document ID : KB000013171
Last Modified Date : 14/02/2018
Show Technical Document Details

How does SSO policy server handle scenario when the RSA Authentication Server is down (*failover) ?

SSO policy server r12.52 SP1 CrX and aboveRSA Authentication Server 8.1

There is nothing on the SSO side for this configuration this task is setup from the RSA Authentication Manager before generating the sdconf.rec failover.dat

Summary of steps:  - For further details review the RSA documentation

Communication between the authentication agents and RSA Authentication Manager form the RSA Security Console.  Generate a zip file ( which contains the RSA Authentication Manager configuration file, sdconf.rec. and failover.dat.  These files contain what is needed for failover

1.In the Security Console, click Setup > System Settings.

2.Under Authentication Settings, click Agents.

3.On the Agents page, click the link to configure IPv6 agents.  The IPv4/ IPv6 Agents page is displayed.

4.In the Authentication Servers section, do the following:

•Select All Instances to allow the IPv4/IPv6 agent to communicate with any primary or replica instance in the current deployment. The agent can select any instance for authentication requests, and any NIC configured for the selected instance.


•Select Specified Server Names or Addresses to choose the fully qualified hostnames or IP addresses of specific instances, or a DNS name that resolves to a list of instances. In the Hostname or IP Addresses field, you can add or remove entries from the list of fully qualified hostnames and IP addresses. RSA strongly recommends entering more than one instance. Multiple

Procedure to generate (sdconf.rec and failover.dat)

1.In the Security Console, click Access > Authentication Agents > Generate Configuration File.

2.From the Maximum Retries drop-down menu, select the number of times you want the authentication agent to attempt to establish communication with Authentication Manager before returning the message “Cannot initialize agent - server communications.”

3.From the Maximum Time Between Each Retry drop-down menu, select the number of seconds that you want to set between attempts by the authentication agent to establish communications with Authentication Manager.

4.Click Generate Config File.


5.Click Download Now, and save to your local machine.

Next Steps

Copy, containing the sdconf.rec file and the failover.dat file, to each agent host.

Windows 64 bit: - documentation will be updated

The Policy Server only needed these files....The following files need to be present under’


CA SSO Installer already placed the aceclnt.dll ii. sdmsg.dll appropriately  



Manually copied over from RSA Manager after generating the sdconf.rec to  <policy_server installation_dir>/lib folder additionally, the VAR_ACE and USR_ACE variables are pointing to the <policy_server installation_dir>/lib