I am configuring the RSA securid auth helper for an Ace server that physically resides on a different server. My question is this: Do I copy the sdconf.rec file from the RSA server to the /var/ace/data directory on the Access Manager instance or do I need to generate an agent host in the RSA instance and use the generated agent host sdconf.rec file? This is not documented well at all.
Thanks,
Mark
Copy the sdconf.rec file from the RSA server to the directory you specified in the AM console (the default is /opt/ace/data). The sdconf.rec is for the rsa server and is not specific to the agent host defined for AM.Use <AMROOT/>SUNWam/share/bin/amsecuridd -v to get a verbose log in /var/opt/SUNWam/debug
Thanks for the clarification. Having done that I am still seeing an error that I cannot resolve. When I telnet to localhost 58943 the configuration works as expected. When I attempt to test the RSA authentication by using telnet localhost 57943 the process just hangs. I have seen the errors in the log files before, but here is a copy of the verbose debug files generated from this mornings attempt. Any suggestions would be greatly appreciated.
debug file follows:
06/06/07 08:46:05: amsecuridd: verbose, config listening port = 58943
06/06/07 08:46:05: amsecuridd: version 6.1
06/06/07 08:46:05: open_auth_listen_port: opened socket 3 to port 58943
06/06/07 08:46:05: accept_connection: waiting for connection on socket 3.
06/06/07 08:46:05: accept_connection: rl.rlim_cur = 256, rlim_cur = 256
06/06/07 08:48:10: accept_connection: POLLIN = 0x01, POLLRDNORM = 0x40, POLLRDBAND = 0x80, POLLPRI = 0x02
06/06/07 08:48:10: accept_connection: got fd == the_socket, revents = 0x41
06/06/07 08:48:10: accept_connection: Connection from 127.0.0.1
06/06/07 08:48:10: accept_connection: the_socket=3, s=4.
06/06/07 08:48:10: get_config_info: the_fd=4
06/06/07 08:48:10: m_doio: m_dowrite returns 43
06/06/07 08:48:14: m_doread: returning i = 2, len = 2
06/06/07 08:48:14: m_doread_nocrlf: m_doread returned 2
06/06/07 08:48:14: m_doread_nocrlf: returning 0 chars:
06/06/07 08:48:14: get_config_info: using default=57943 as listen port.
06/06/07 08:48:14: open_auth_listen_port: opened socket 5 to port 57943
06/06/07 08:48:14: m_doio: m_dowrite returns 43
06/06/07 08:48:16: m_doread: returning i = 2, len = 2
06/06/07 08:48:16: m_doread_nocrlf: m_doread returned 2
06/06/07 08:48:16: m_doread_nocrlf: returning 0 chars:
06/06/07 08:48:16: get_config_info: using default=5 as session timeout.
06/06/07 08:48:16: m_doio: m_dowrite returns 40
06/06/07 08:48:18: m_doread: returning i = 2, len = 2
06/06/07 08:48:18: m_doread_nocrlf: m_doread returned 2
06/06/07 08:48:18: m_doread_nocrlf: returning 0 chars:
06/06/07 08:48:18: get_config_info: using default=5 as max sessions.
06/06/07 08:48:18: m_doio: m_dowrite returns 47
06/06/07 08:48:23: m_doread: returning i = 2, len = 2
06/06/07 08:48:23: m_doread_nocrlf: m_doread returned 2
06/06/07 08:48:23: m_doread_nocrlf: returning 0 chars:
06/06/07 08:48:23: get_config_info: config path = /opt/ace/data
06/06/07 08:48:23: get_config_info: successfully putenv 'VAR_ACE=/opt/ace/data'
06/06/07 08:48:23: get_config_info: just before AceInitialize
06/06/07 08:48:24: get_config_info: amsecuridd configured successfully
06/06/07 08:48:24: amsecuridd: Success 0 getting startup configuration information
06/06/07 08:48:24: amsecuridd: now listening on port 57943,
06/06/07 08:48:24: amsecuridd: session timeout is 5 minutes,
06/06/07 08:48:24: amsecuridd: max concurrent sessions = 5.
06/06/07 08:48:24: amsecuridd: POLLIN = 0x01, POLLRDNORM = 0x40, POLLRDBAND = 0x80, POLLPRI = 0x02
06/06/07 08:48:42: ace_server info: got fd == ls, revents = 0x41
06/06/07 08:48:42: accept_connection: waiting for connection on socket 5.
06/06/07 08:48:42: accept_connection: rl.rlim_cur = 256, rlim_cur = 256
06/06/07 08:48:42: accept_connection: POLLIN = 0x01, POLLRDNORM = 0x40, POLLRDBAND = 0x80, POLLPRI = 0x02
06/06/07 08:48:42: accept_connection: got fd == the_socket, revents = 0x41
06/06/07 08:48:42: accept_connection: Connection from 127.0.0.1
06/06/07 08:48:42: accept_connection: the_socket=5, s=4.
06/06/07 08:48:42: ace_server: thr_create returns 0, errno=0
06/06/07 08:48:42: m_dorequest: s = 4
06/06/07 08:48:42: m_dorequest: just before SD_Init
06/06/07 08:49:07: amsecuridd: SD_Init error (23)
> errno=0
> 06/06/07 08:48:42: m_dorequest: s = 4
> 06/06/07 08:48:42: m_dorequest: just before SD_Init
> 06/06/07 08:49:07: amsecuridd: SD_Init error (23)
error 23 is an ACM_NO_SERVER error. unfortunately, the description isn't terribly helpful:
Client is unable to communicate with the server. There may be a general communication or configuration problem, or the ACE/Server authentication process may not be running.
assuming it's not the server not running, then you can check the ACE/Server's logs to see if there's a record of contact from the client system. seem to recall that you need to have the client host "configured" into the list of allowed clients.
if there's no record of attempted contact, then maybe you want to try the other sdconf.rec file (the generated agent host sdconf.rec file). seem to recall that there needed to be some client-specific generation of the config file, but that was a long time ago, could have been confused with the SafeWord server, and don't currently have access to either.
btw, if there's a "sdstatus.*" file where the sdconf.rec resides, you should delete it before the next test... think it makes things not work.
The ACE server is in fact running, and I can authenticate remotely as the admin using a keyfob, so I know it is runnng OK.
I created a UNIX host agent in the RSA server for the Acess Manager server and then generated the sdconf.rec file for it. I ftped the config file to the AM7.1 server and stoped and restarted the amsecuridd daemon. I get the same exact entries in the error log.
Any other suggestions?
Mark
When I created the agent host in the RSA server I used a UNIX host as the agent type. Is this correct or should I have used something else?
The options are:
Unix agent
Communication server
Single-Transaction Server
Net OS agent
NetSP agent
RADIUS Server
The Access Manager docs don't address any of the RSA configuration requirements which would be a great help.
Mark
> When I created the agent host in the RSA server I
> used a UNIX host as the agent type. Is this correct
> or should I have used something else?
>
> The options are:
>
> Unix agent
> Communication server
> Single-Transaction Server
> Net OS agent
> NetSP agent
> RADIUS Server
>
> The Access Manager docs don't address any of the RSA
> configuration requirements which would be a great
> help.
>
> Mark
liberated all my ACE/Server documentation several years ago, and can't seem to find any old notes regarding creating the sdconf.rec file. "Unix agent" sounds familiar/appropriate.
did you see anything in the ACE/Server admin console's log files regarding the client's attempts to contact?
since the connection initialization failed, there shouldn't be logs of any authentication attempts. are there any exception-type log entries regarding the client host? this would indicate if the securid helper is even getting to the ACE/Server at all... i.e., the error is because the clientapi lib couldn't make contact (with the sdconf.rec file used), or it did make contact and the ACE/Server rejected it for some reason.
The only events in the exception log are from failed login attempts using the remote admin console for the RSA server. I had forgot to synchronize the keyfob with the ace server. I do not see any attempts to communicate from the Ace server. I also looked in the incident reports and see nothing there as well.
Any ideas on what to check next?
Mark
> The only events in the exception log are from failed
> login attempts using the remote admin console for the
> RSA server. I had forgot to synchronize the keyfob
> with the ace server. I do not see any attempts to
> communicate from the Ace server. I also looked in
> the incident reports and see nothing there as well.
>
> Any ideas on what to check next?
>
> Mark
sorry, Mark. being several years removed from playing with an ACE/Server admin console, having no manuals, and no further hints from error logs/messages, it's kinda tough to say. the helper is not getting to the ACE/Server, as evidenced by the lack of any log records on the server. pretty confident that the helper does work. so, the only (obvious) thing left is the sdconf.rec file. reaching pretty deep here... was the sdconf.rec file ftp'd in binary mode?
is it possible to snoop outgoing packets from the client (securid helper) side to see where it thinks it's sending to? wouldn't think it's a broadcast if the sdconf.rec is specific to the ACE/Server. maybe snoop incoming packets to the ACE/Server system, too, though the outgoing from the client should be more interesting.
It sure is.What I found was very interesting.Both servers are communicating with each other on the appropriate IP addresses. What really surprised me was that fact that the RSA server was using RLOGIN back to the AM server. I checked all of the logs on the RSA server and see NO activity, exceptions, or errors of any kind. I am beginning to wonder if the agent type should be something other than UNIX?
> It sure is.What I found was very interesting.
> Both servers are communicating with each other on
> the appropriate IP addresses. What really surprised
> me was that fact that the RSA server was using
> RLOGIN back to the AM server. I checked all of the
> logs on the RSA server and see NO activity,
> exceptions, or errors of any kind. I am beginning
> to wonder if the agent type should be something
> other than UNIX?
can't remember what it should be. of the list you mentioned, only Communications Server sounded like a reasonable alternative. when configuring for the sdconf.rec file, was there any selection for RLOGIN?
couple of other, maybe unrelated, items...
to restart ACE/Server-AM comms "fresh", if there's a "securid" file in the directory where the sdconf.rec file is, delete it before restarting AM. and on the ACE/Server admin console, uncheck the "Sent Node ID" item.the nodeid being sent creates the securid file.
when the tokens were imported to the ACE/Server, use "UNIX, DES encryption". and activate the client on the AM server host.
> Finally got it running. It was an issue on the RSA
> server. The Ace server had died. The correct
> configuration for the agent host is UNIX.
cool! you have any hair left?
you mentioned documentation shortcomings, especially regarding the ACE/Server admin-related aspects... it's kinda not AM's "place" to be documenting "their" stuff, as it may change. however, it would make for good FAQ/debugging material if you have any notes about configuring the ACE/Server for the AM server/system you'd care to share. and debugging tips.
btw, i work at sun.
thanks.
