- Q. Why is the log4j-over-slf4j jar missing from AM?
- Q. Why is the authapi-2005-08-12.jar missing?
- Q. What ports are required for AM to RSA communications?
- Q. Can I use RSA SDK 8.6?
- Q. What are common issues with authentication failing in the SecurID authentication module?
- Q. How do I enable debug logging for the RSA server?
The SecurID module is deprecated as of AM 7 and will be removed in a later release: Deprecated in AM 7.
The Log4j library has a known security vulnerability as detailed in Log4j Security Advisory #202111. Additionally, both this file and the authapi jar are no longer supported by RSA, meaning this vulnerability will not be fixed. As a result, ForgeRock strongly recommends you migrate to the SecurID node instead. This node is currently available from the Marketplace and will be included in a later release of AM.
See OPENAM-9745 (SecurID Authentication not working, error displayed "Unknown error. Please contact your Administrator") for further information.
A. ForgeRock is not licensed to redistribute the RSA SecurID library (authapi jar). You must obtain the latest authapi jar file from RSA. They should provide this to you along with a dependency crypto.jar file. You should then include these files in the path/to/tomcat/webapps/openam/WEB-INF/lib directory where AM is deployed.
If you do not obtain the latest authapi jar, you will not be able to log into the SecurID module and will see an error as detailed in SecurID authentication module login fails in AM (All versions) with java.lang.NoClassDefFoundError.
|Pertinent Error Snippet||Issue||Resolution|
|Error in web application container log: Caused by: java.lang.NoClassDefFoundError: com/rsa/authagent/authapi/AuthAgentException||Missing authapi jar and dependency crypto.jar / cryptoj.jar files||The authapi jar and dependency crypto.jar / cryptoj.jar files are needed and must be obtained from RSA. See SecurID authentication module login fails in AM (All versions) with java.lang.NoClassDefFoundError for further information.|
|Error in Authentication debug log: Exception : com.sun.identity.authentication.spi.AuthLoginException: SecurID system profile login error occurred. RSA API Initialization Error: com.rsa.authagent.authapi.datarepository.AUTHf: sdconf.rec not found||Missing sdconf.rec file||
Check the rsa_api.properties file is in the same directory as the sdconf.rec file (which is typically located in /path/to/openam/config/auth/ace/data (AM 7 and later) or /path/to/openAM/auth/ace/data (Pre-AM 7), but this location is user-defined when you configure the SecurID authentication module so can vary). If it is not there:
Error shown in browser when accessing SecurID module:Unknown error. Please contact your Administrator
|Incorrect use of the Log4J bridge libraries||This is a known issue: OPENAM-9745 (SecurID Authentication not working, error displayed "Unknown error. Please contact your Administrator"). You should replace the existing log4j-over-slf4j library with the log4j library. You should obtain a compatible version of the log4j library from RSA.|
|Errors on RSA side (in rsa_api_debug.log file or RSA log monitor console): Can't get node Secret Node secret mismatch: cleared on server but not on agent Node secret mismatch: agent and server using different node secrets||Node secret mismatch||The resolution is detailed in: RSA Authentication Manager Issue – Node secret mismatch. In summary, you should delete the node secret on the client (AM side) and the RSA Server. The node secret will then be re-negotiated when the client contacts the server again.|
Error in rsa_api_debug.log file: CheckServer failedcom.rsa.ace.techservice.udpserver.AUTHa1: Error receiving packet Timeout: java.net.SocketTimeoutException: Receive timed out
Error in rsa_api.log file:
[2018-10-22 09:36:44,873] ERROR http-bio-443-exec-3 - Error sending request: com.rsa.ace.techservice.udpserver.a: Error sending packet: java.io.IOException: Invalid argument (sendto failed) [2018-10-22 09:36:44,873] WARN http-bio-443-exec-3 - User TIME's access is denied.
Error in Authentication debug log:
Exception : com.sun.identity.authentication.spi.AuthLoginException: SecurID initialization login exception: No Server available
The resolution is to find and resolve the Network issue. The following information may help you track it down:
A. You can enable debug logging in the rsa_api.properties file if you want to see what is happening on the RSA server. This file must reside in the same directory as the sdconf.rec file (which is typically located in /path/to/openam/config/auth/ace/data (AM 7 and later) or /path/to/openAM/auth/ace/data (Pre-AM 7), but this location is user-defined when you configure the SecurID authentication module so can vary).
To enable debug logging:
- Copy the rsa_api.properties file to the same directory as the sdconf.rec file if it does not already exist. You can find the rsa_api.properties file in the path/to/tomcat/webapps/openam/WEB-INF/lib directory where AM is deployed.
- Update the required debug options in the event logger and debugger sections in the rsa_api.properties file to YES.
- Update the file path properties that reference @BASE_DIR@/@SERVER_URI@ to point to the correct location (which is the directory where the rsa_api.properties and sdconf.rec files reside).
- Restart the web application container in which AM runs.
- Reproduce the issue you were encountering.
- Retrieve the log files (rsa_api.log and rsa_api_debug.log) from the location you specified.
An example snippet of the rsa_api.properties file with the event logger and debugger sections configured to output debug information to file:# [This section is for event logger.] # Logs event messages to the console. RSA_LOG_TO_CONSOLE=NO # Logs event messages to a file. RSA_LOG_TO_FILE=YES # Name of the log file. RSA_LOG_FILE=/path/to/openam/var/debug/rsa_api.log # Minimum severity level allowed to log. RSA_LOG_LEVEL=DEBUG # [This section is for debugger.] # Enables debug tracing. RSA_ENABLE_DEBUG=YES # Sends tracing to the console. RSA_DEBUG_TO_CONSOLE=NO # Sends tracing to a file. RSA_DEBUG_TO_FILE=YES # Name of the trace file. RSA_DEBUG_FILE=/path/to/openam/var/debug/rsa_api_debug.log # Allows function entry tracing. RSA_DEBUG_ENTRY=YES # Allows function exit tracing. RSA_DEBUG_EXIT=YES # Allows control flow tracing. RSA_DEBUG_FLOW=YES # Allows regular tracing. RSA_DEBUG_NORMAL=YES # Traces the location. RSA_DEBUG_LOCATION=YES