PAM 3.1.1.01: RSA Integration

Document ID : KB000093619
Last Modified Date : 09/10/2018
Show Technical Document Details
Introduction:
When upgrading CA PAM r3.X, we have seen the RSA integration which was once working successfully is now broken, or the integration does not work when implementing it for the first time.
Instructions:
CA PAM:
1.) SSH into the standalone appliance.
2.) # rm /var/ace/sdopts.rec (had 0 bytes).
3.) # touch /var/ace/sdopts.rec
4.) In CA PAM, reloaded the 'sdconf.rec' file though CA PAM UI (Configuration -> 3rd Party -> RSA).
5.) Cleared Node Secret (even though it was never green) in CA PAM UI.
6.) Rebooted CA PAM.

RSA Cluster:
Please try the following on customer environment.
1.    Create a new sdopts.rec file and the following entries – Assuming 10.28.16.11 & 12 were production and NOT DR if not change the priority 10 means highest. Here I’m setting highest priority for production
USESERVER=10.28.16.11,10
USESERVER=10.28.16.12,10
USESERVER=10.23.16.11,1
USESERVER=10.23.16.12,1
2.    Delete the sdopts.rec file and upload the new one.
3.    SSH to appliance and delete the hostname folder created under /var/ace/<<HOSTNAME>>
4.    Delete the node secret.

PAM with multiple NICs:
Create an sdopts.rec file with the following content
CLIENT_IP=my-ca-pam-ip-address-to-use
USESERVER=my-primary-rsa-server-ip-address,10
USESERVER=my-replica-rsa-server-ip-address,5
 
Additional Information:
Other tips:

•    Does RSA servers were in cluster? If yes are they in same datacenter or spread across?
•    Its recommended to have FQHN set on both PAM & RSA on all servers, both the servers need to be resolved both from RSA(Resolve IP & Resolve hostname) & PAM(Tools-> ping)
•    Please check tcp 5500 is open on all boxes

If connections are dropping might be due to communication failure or PAM is not able to resolve the hostname.

You can also enable the log level to verbose in /var/ace/rsa_api.properties and the logs will be stored under /var/ace/acelnt.log.  You can see the errors in that file.