Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
When you attempt to configure RSA SecurID settings on UAG, you see the following alert/error in the UAG administrative dashboard. The authentication method could not be configured. You have not uploaded an SSL certificate, or the certificate is invalid. If the SecurID server has a certificate that is not signed by a public CA, you must enter the certificate chain in the RSA SecurID Server CA/SSL Certificate text box. Sample Screenshot:The authbroker.log on the UAG appliance will contain a line similar to the following:Please see Collecting Logs from the Unified Access Gateway Appliance for details on this file. 12/21 17:22:35,321[tomcat-http--25]ERROR utils.SecurIDRestClient: Provided PEM Certificate is missing or invalid
The error indicates that the RSA Auth Manager API call is not trusted. The certificate used on the RSA server might not be issued by a trusted CA.
If the certificate is not trusted: Obtain the certificate from the RSA Server in BASE64 encoded DER format.Upload the file into UAG by selecting the SSL Certificate. The file is usually a .pem file or .cer file.Click Save and it should validate OK.Save the settings. When the certificate setup is successful and the settings are validated and saved, authbroker.log on UAG shows: 12/21 17:22:58,166[tomcat-http--29]INFO utils.SecurIDRestClient: Communication with SecurID server: rsa-am2.example.int was successful, configuration updates is all ok.When this is saved, you can then select SecurID in the Auth Methods field of the Horizon Edge service. When the RSA Server is using a self-signed certificate for the REST API on TCP 5555 Obtain the root issuer certificate from the RSA Server and use that for the RSA SecurID SSL Certificate upload on UAG. You can use a browser to navigate to the RSA Server and click the certificate warning – Not secure. Click Certificate is not valid to view the certificate chain. On the Details tab, click Copy to File and export it as Base64-encoded X.509 (.CER). The exported issuer certificate file should start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----. > To allow UAG RSA SecurID REST API on TCP 5555 to trust certificates issued by this RSA Server root certificate, use the exported pem/cer file to upload to the RSA SecurID settings. The trust will be for this RSA Server and any other replica RSA Servers in the group where they all share this same root/issuer certificate. This is useful in cases where UAG can communicate with any RSA servers in the replicated group via a load balancer for HA and spread the authentication load.To test if the connection from UAG to RSA AM Server is working, use the openssl command: openssl s_client -connect rsa-am3.north.int:5555 The certificate and root/issuer certificate are presented.
Troubleshooting Unified Access Gateway Configuration for Horizon RSA SecurID Authentication (Horizon Documentation)This is a child article of Unified Access Gateway: Common Configuration Issues with Authentication Options (90767)