Fixing RSA Authentication After Upgrading to 3.x

Document ID : KB000103022
Last Modified Date : 10/07/2018
Show Technical Document Details
Introduction:
This article covers the steps to follow in order to get RSA working again, after upgrading to 3.x.  The reason this is necessary is that some things have changed with regard to the RSA configuration after the upgrade.  Following the steps described below should resolve most such problems.  If it does not you should open a Support ticket.
Instructions:

1. Make sure that the hostname in PAM matches the hostname in the RSA server. The RSA server I used for my tests was not able to resolve the IP Address to the Name, so I set the hostname to the IP address.  After doing this, RSA and LDAP+RSA started working.

2. Do not remove opts config file.  While this might not have been used prior to 3.x it seems to be needed now.  Please note that there appears to be a difference in behavior regarding this file.  In some cases it can be an empty file, which on some versions can be created(if needed) by a support engineer doing a "touch /var/ace/sdopts.rec" in an ssh session.  At some point an upload of an empty sdopts.rec file was allowed, but most recently this became disallowed.  If that is the case, create your sdopts.rec to look something like the following, with multiple entries for a cluster:
CLIENT_IP=<PAM IP here>

In another case a customer was using an RSA cluster.  They needed to put all the IP addresses into the sdopts.rec, along with a priority, in order to prevent connecting to an RSA server that would respond too slowly, because of its location.
USESERVER=x.x.x.11,10
USESERVER=x.x.x.12,10
USESERVER=x.x.x.11,1
USESERVER=x.x.x.12,1

If sdopts.rec is imported there will be a prompt to clear the node secret in pam.  This used to require that the node secret be cleared on the RSA server too, but there was a change made at some point.  The RSA Security Web Console does not clear autogenerated node secrets, such as those from PAM. 

3. Import the sdconf.rec file again.  Doing so will prompt you delete the node secret in PAM.  The same comment about clearing the node secret on the RSA server holds true here.

One last note about clearing the node secret.  There is a folder on PAM, in /var/ace, which corresponds to the hostname configured on PAM and the RSA server.  This folder is supposed to be cleared when the node secret is deleted, but in some instances it is not.  A defect was opened to address this.  This can be checked by support if RSA authentication is not working.

In one case this procedure did not work.  It turned out that the customer was had configured the wrong Root certificate on the RSA server.  This was corrected and RSA authentication worked immediately.

If this procedure doesn't work for you, please open a ticket.  Make sure to let us know the current state of the RSA configuration on the system you upgraded? Which of the .rec files are populated?