FAQ: SecurID authentication module in AM

Last updated Jan 19, 2022

The purpose of this FAQ is to provide answers to commonly asked questions regarding the SecurID® authentication module in AM. The SecurID module allows AM to authenticate users with RSA® Authentication Manager software and RSA SecurID authenticators. This article also includes information for troubleshooting failed authentication attempts to the SecurID authentication module.

1 reader recommends this article

Frequently asked questions

Q. Why is the log4j-over-slf4j jar missing from AM?
Q. Why is the authapi-2005-08-12.jar missing?
Q. What ports are required for AM to RSA communications?
Q. Can I use RSA SDK 8.6?
Q. What are common issues with authentication failing in the SecurID authentication module?
Q. How do I enable debug logging for the RSA server?

Note

The SecurID module is deprecated as of AM 7 and will be removed in a later release: Deprecated in AM 7.

The Log4j library has a known security vulnerability as detailed in Log4j Security Advisory #202111. Additionally, both this file and the authapi jar are no longer supported by RSA, meaning this vulnerability will not be fixed. As a result, ForgeRock strongly recommends you migrate to the SecurID node instead. This node is currently available from the Marketplace and will be included in a later release of AM.

Q. Why is the log4j-over-slf4j jar missing from AM?

A. The log4j-over-slf4j jar file is not distributed with AM. You must obtain a version of the log4j library from RSA that is compatible with your version of the authapi jar file.

See OPENAM-9745 (SecurID Authentication not working, error displayed "Unknown error. Please contact your Administrator") for further information.

Q. Why is the authapi-2005-08-12.jar missing?

A. ForgeRock is not licensed to redistribute the RSA SecurID library (authapi jar). You must obtain the latest authapi jar file from RSA. They should provide this to you along with a dependency crypto.jar file. You should then include these files in the path/to/tomcat/webapps/openam/WEB-INF/lib directory where AM is deployed.

If you do not obtain the latest authapi jar, you will not be able to log into the SecurID module and will see an error as detailed in SecurID authentication module login fails in AM (All versions) with java.lang.NoClassDefFoundError.

Q. What ports are required for AM to RSA communications?

A. The SecurID module sends UDP packets to RSA servers on port 5500. The port used by the SecureID module to send the request is a dynamically assigned ephemeral port and cannot be configured to a fixed value.

Q. Can I use RSA SDK 8.6?

A. No, RSA SDK 8.6 will not work with the SecurID module. The SecurID module requires UDP, which is not supported as of SDK 8.6.

Q. What are common issues with authentication failing in the SecurID authentication module?

A. Authentication in the SecurID module can fail for a number of reasons; here are some common issues you may encounter:

Pertinent Error Snippet	Issue	Resolution
Error in web application container log: Caused by: java.lang.NoClassDefFoundError: com/rsa/authagent/authapi/AuthAgentException	Missing authapi jar and dependency crypto.jar / cryptoj.jar files	The authapi jar and dependency crypto.jar / cryptoj.jar files are needed and must be obtained from RSA. See SecurID authentication module login fails in AM (All versions) with java.lang.NoClassDefFoundError for further information.
Error in Authentication debug log: Exception : com.sun.identity.authentication.spi.AuthLoginException: SecurID system profile login error occurred. RSA API Initialization Error: com.rsa.authagent.authapi.datarepository.AUTHf: sdconf.rec not found	Missing sdconf.rec file	Check the rsa_api.properties file is in the same directory as the sdconf.rec file (which is typically located in /path/to/openam/config/auth/ace/data (AM 7 and later) or /path/to/openAM/auth/ace/data (Pre-AM 7), but this location is user-defined when you configure the SecurID authentication module so can vary). If it is not there: Copy the rsa_api.properties file to the same directory as the sdconf.rec file. You can find the rsa_api.properties file in the path/to/tomcat/webapps/openam/WEB-INF/lib directory where AM is deployed. Update the file path properties that reference @BASE_DIR@/@SERVER_URI@ to point to the correct location (which is the directory where the rsa _api.properties and sdconf.rec files reside). Restart the web application container in which AM runs.
Error shown in browser when accessing SecurID module: Unknown error. Please contact your Administrator	Incorrect use of the Log4J bridge libraries	This is a known issue: OPENAM-9745 (SecurID Authentication not working, error displayed "Unknown error. Please contact your Administrator"). You should replace the existing log4j-over-slf4j library with the log4j library. You should obtain a compatible version of the log4j library from RSA.
Errors on RSA side (in rsa_api_debug.log file or RSA log monitor console): Can't get node Secret Node secret mismatch: cleared on server but not on agent Node secret mismatch: agent and server using different node secrets	Node secret mismatch	The resolution is detailed in: RSA Authentication Manager Issue – Node secret mismatch. In summary, you should delete the node secret on the client (AM side) and the RSA Server. The node secret will then be re-negotiated when the client contacts the server again.
Error in rsa_api_debug.log file: CheckServer failedcom.rsa.ace.techservice.udpserver.AUTHa1: Error receiving packet Timeout: java.net.SocketTimeoutException: Receive timed out Error in rsa_api.log file: [2018-10-22 09:36:44,873] ERROR http-bio-443-exec-3 - Error sending request: com.rsa.ace.techservice.udpserver.a: Error sending packet: java.io.IOException: Invalid argument (sendto failed) [2018-10-22 09:36:44,873] WARN http-bio-443-exec-3 - User TIME's access is denied. Error in Authentication debug log: Exception : com.sun.identity.authentication.spi.AuthLoginException: SecurID initialization login exception: No Server available	Network issue	The resolution is to find and resolve the Network issue. The following information may help you track it down: Is there a firewall between AM and the RSA server? Are you using an IP address instead of FQDN? All servers listed in the generated sdconf.rec file must have a fully qualified domain name (FQDN). Also, check that the servers listed in your /etc/hosts file or DNS server if using DNS, are using FQDNs and are not defined upon IP address or hostname only. Are you using Linux® running on Hardware? This error has been seen on Linux running on Hardware where 5 UDP packets were dropped for every authentication attempt. Moving to VMWare (with the same network configuration) resolved this issue. Use a tool such as truss (Solaris®) or strace (Linux) to perform system level tracing to help you identify the issue. Use a tool such as dropwatch to monitor packet drops in the TCP/IP stack of the operating system.

Q. How do I enable debug logging for the RSA server?

A. You can enable debug logging in the rsa_api.properties file if you want to see what is happening on the RSA server. This file must reside in the same directory as the sdconf.rec file (which is typically located in /path/to/openam/config/auth/ace/data (AM 7 and later) or /path/to/openAM/auth/ace/data (Pre-AM 7), but this location is user-defined when you configure the SecurID authentication module so can vary).

To enable debug logging:

Copy the rsa_api.properties file to the same directory as the sdconf.rec file if it does not already exist. You can find the rsa_api.properties file in the path/to/tomcat/webapps/openam/WEB-INF/lib directory where AM is deployed.
Update the required debug options in the event logger and debugger sections in the rsa_api.properties file to YES.
Update the file path properties that reference @BASE_DIR@/@SERVER_URI@ to point to the correct location (which is the directory where the rsa_api.properties and sdconf.rec files reside).
Restart the web application container in which AM runs.
Reproduce the issue you were encountering.
Retrieve the log files (rsa_api.log and rsa_api_debug.log) from the location you specified.

Example

An example snippet of the rsa_api.properties file with the event logger and debugger sections configured to output debug information to file:

# [This section is for event logger.] # Logs event messages to the console. RSA_LOG_TO_CONSOLE=NO # Logs event messages to a file. RSA_LOG_TO_FILE=YES # Name of the log file. RSA_LOG_FILE=/path/to/openam/var/debug/rsa_api.log # Minimum severity level allowed to log. RSA_LOG_LEVEL=DEBUG # [This section is for debugger.] # Enables debug tracing. RSA_ENABLE_DEBUG=YES # Sends tracing to the console. RSA_DEBUG_TO_CONSOLE=NO # Sends tracing to a file. RSA_DEBUG_TO_FILE=YES # Name of the trace file. RSA_DEBUG_FILE=/path/to/openam/var/debug/rsa_api_debug.log # Allows function entry tracing. RSA_DEBUG_ENTRY=YES # Allows function exit tracing. RSA_DEBUG_EXIT=YES # Allows control flow tracing. RSA_DEBUG_FLOW=YES # Allows regular tracing. RSA_DEBUG_NORMAL=YES # Traces the location. RSA_DEBUG_LOCATION=YES