VMware

vCenter – RSA SecurID authentication issue

So I’m trying to implement RSA SecurID with my vCenter 6.7 deployment (on the latest update).I’ve followed the guidance I found from vmware for integrating it and have come to a point of I have no idea how to resolve it. I do have a ticket open with vmware support regarding so maybe that’ll turn something up.

So to lay it out,vCenter and the RSA server both talk to the same identity source (Active Directory over LDAP) and I do have LDAPS configured on both. AD login via username and password to vCenter work perfectly fine.I have RSA SecurID working with my windows boxes that I’ve been testing on.

SecurID has been enabled on vCenter and does appear as an option.I’ve uploaded my sdconf.rec from RSA to vcenter.I have manually created sdopts.rec file to resolve one line of issue, and created a /securid directory in order to resolve “securid doesn’t exsist” that I was getting.

As seen in the log data below it is returning a certificate mismatch, which not sure how to resolve that. With windows there is a server.cer file downloaded from the RSA that you include in settingup the authentication agent on the windows box. So not sure if something similar has to be done here.

Also just to specify, the vcenter and the rsa server are both able to resolve ip / fqdn of the other.

​

If anyone has any thoughts or ideas, would love to hear something as I think I’ve reached a dead end with my googling on the issue. This is a lab enviroment and I have scrubbed the log data so

​

​

Some log data from /var/log/vmware/sso/rsa_securid.log

[2021-05-04 21:01:00,031] FATAL tomcat-http–13 – RSA Authentication API for Java v8.5.0.0.0[1148] started

[2021-05-04 21:01:00,031] INFO tomcat-http–13 – securid is a directory.

[2021-05-04 21:01:00,031] INFO tomcat-http–13 – Default file doesn’t exist

[2021-05-04 21:01:00,035] DEBUG tomcat-http–13 – ACEServerDataObject.getData error: /securid (Is a directory)

[2021-05-04 21:01:00,035] DEBUG tomcat-http–13 – Can’t get nodeSecret

[2021-05-04 21:01:00,035] INFO tomcat-http–13 – {AuthSessionFactory} Initializing Configuration data

[2021-05-04 21:01:00,036] DEBUG tomcat-http–13 – loadSDConfForConfigRequest AM server list size:1

[2021-05-04 21:01:00,036] DEBUG tomcat-http–13 – loadSDConfForConfigRequest:Server information added to serverLBInfoMaprsa-server.domain.com

[2021-05-04 21:01:00,036] DEBUG tomcat-http–13 – {ResponseTimeBasedLoadBalancer.getBestServerN} N=0, srvMap[0] = rsa-server.domain.com,

[2021-05-04 21:01:00,036] DEBUG tomcat-http–13 – {ResponseTimeBasedLoadBalancer.getBestServerN} N=0, selected server=rsa-server.domain.com

[2021-05-04 21:01:00,036] INFO tomcat-http–13 – {setServerLoadBalanceInfo} dynamic (response time based) load balancer selected

[2021-05-04 21:01:00,037] INFO tomcat-http–13 – Updating the retry count to totalServers-1

[2021-05-04 21:01:00,037] INFO tomcat-http–13 – MaxRetry: 0 Total Servers: 1

[2021-05-04 21:01:00,037] DEBUG tomcat-http–13 – {ResponseTimeBasedLoadBalancer.getBestServerN} N=0, srvMap[0] = rsa-server.domain.com,

[2021-05-04 21:01:00,037] DEBUG tomcat-http–13 – {ResponseTimeBasedLoadBalancer.getBestServerN} N=0, selected server=rsa-server.domain.com

[2021-05-04 21:01:00,037] DEBUG tomcat-http–13 – URL for current CONFIG is http://rsa-server.domain.com:5500/Services/ConfigService

[2021-05-04 21:01:00,037] DEBUG tomcat-http–13 – getConnection: current connection: ServerConnection [ serviceType=CONFIG, serviceURL=http://rsa-server.domain.com:5500/Services/ConfigService, conn=null]

>![2021-05-04 21:01:00,045] DEBUG tomcat-http–13 – {handleConfigInit} Config init req: <?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes”?><cfg:ConfigurationRequest xmlns:stat=”http://www.rsa.com/schemas/2008/05/CommonAPI/status” xmlns:cfg=”http://www.rsa.com/schemas/2008/05/CommonAPI/configuration” xmlns:xenc10=”http://www.w3.org/2001/04/xmlenc#” xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”><cfg:Agent Name=”vcenter-server.domain.new.com” Type=”RSA_WEB_AGENT” Version=”1.0″><cfg:Host>vcenter-server.domain.new.com</cfg:Host><cfg:Platform>linux</cfg:Platform><cfg:Library Version=”8.5.0.0.0[1148]”>RSA Authentication API for Java</cfg:Library></cfg:Agent></cfg:ConfigurationRequest>!<

>![2021-05-04 21:01:00,045] DEBUG tomcat-http–13 – processRequest: CONFIG request: <?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes”?><cfg:ConfigurationRequest xmlns:stat=”http://www.rsa.com/schemas/2008/05/CommonAPI/status” xmlns:cfg=”http://www.rsa.com/schemas/2008/05/CommonAPI/configuration” xmlns:xenc10=”http://www.w3.org/2001/04/xmlenc#” xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”><cfg:Agent Name=”vcenter-server.domain.new.com” Type=”RSA_WEB_AGENT” Version=”1.0″><cfg:Host>vcenter-server.domain.new.com</cfg:Host><cfg:Platform>linux</cfg:Platform><cfg:Library Version=”8.5.0.0.0[1148]”>RSA Authentication API for Java</cfg:Library></cfg:Agent></cfg:ConfigurationRequest>!<

[2021-05-04 21:01:00,045] DEBUG tomcat-http–13 – {updateServerAccessTime} serverLBInfoMap: Key Values: rsa-server.domain.com

[2021-05-04 21:01:00,045] DEBUG tomcat-http–13 – {updateServerAccessTime} serviceHostName = rsa-server.domain.com, accessTime=1620162060045

[2021-05-04 21:01:00,045] DEBUG tomcat-http–13 – initializeConnection: direct connection (no proxy): http://rsa-server.domain.com:5500/Services/ConfigService

[2021-05-04 21:01:00,084] DEBUG tomcat-http–13 – processRequest with XML response: CONFIG response: <?xml version=”1.0″ encoding=”UTF-8″?><cfg:ConfigurationResponse xmlns:cfg=”http://www.rsa.com/schemas/2008/05/CommonAPI/configuration” xmlns:ds=”http://www.w3.org/2000/09/xmldsig#” xmlns:stat=”http://www.rsa.com/schemas/2008/05/CommonAPI/status” xmlns:xenc10=”http://www.w3.org/2001/04/xmlenc#”><stat:Status Status=”SUCCESS”/><cfg:Configuration xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” AuthnServicePort=”5500″ FailureThreshold=”5″ RefreshCount=”10000″ RetryCount=”10″><cfg:Pool><cfg:Connection ConnectionTimeout=”PT10.000S” InstanceVersion=”8.4.0 P 13.0″ IsPrimaryInstance=”true” Location=”rsa-server.domain.com”

&#x200B;

&#x200B;

[2021-05-04 21:01:00,084] DEBUG tomcat-http–13 – {updateServerResponseTime} serverLBInfoMap: Key Values: rsa-server.domain.com

[2021-05-04 21:01:00,084] DEBUG tomcat-http–13 – {updateServerResponseTime} serviceHostName = rsa-server.domain.com, responseTime=38

&#x200B;

>!<cfg:Connection ConnectionTimeout=”PT10.000S” InstanceVersion=”8.4.0 P 13.0″ IsPrimaryInstance=”true” Location=”rsa-server.domain.com” ReadTimeout=”PT30.000S”/>!<

&#x200B;

] [2021-05-04 21:01:00,087] DEBUG tomcat-http–13 – {validateSignCertwithRootCert} ConfigResponse Signing Cert Validation with sdconf.rec root certificate

[2021-05-04 21:01:00,087] FATAL tomcat-http–13 – {validateSignCertwithRootCert} ConfigResponse Signing Cert Validation failed Signature does not match.

[2021-05-04 21:01:00,087] FATAL tomcat-http–13 – {validateConfigResponse} ConfigResponse signing cert validation and verification failed: com.rsa.authagent.authapi.AuthAgentException: Signature Certificate Verification Failed:Signature does not match.

[2021-05-04 21:01:00,087] FATAL tomcat-http–13 – {handleConfigUpdate} ConfigurationResponse(Init) – Response validation & verification failed

[2021-05-04 21:01:00,087] ERROR tomcat-http–13 – Exception processing configuration data Exception processing configuration data Invalid config response from the server: Response validation & verification failed!

Documentation I’ve gone over regarding this.[https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-639F8754-48E1-494B-A232-A8691447C212.html](https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-639F8754-48E1-494B-A232-A8691447C212.html)[https://blogs.vmware.com/vsphere/2016/04/two-factor-authentication-for-vsphere-rsa-securid.html](https://blogs.vmware.com/vsphere/2016/04/two-factor-authentication-for-vsphere-rsa-securid.html)

[https://blogs.vmware.com/vsphere/2016/04/two-factor-authentication-for-vsphere-rsa-securid-part-2.html](https://blogs.vmware.com/vsphere/2016/04/two-factor-authentication-for-vsphere-rsa-securid-part-2.html)

[https://kb.vmware.com/s/article/66729](https://kb.vmware.com/s/article/66729)[https://community.rsa.com/t5/rsa-securid-access-discussions/rsa-securid-authentication-manager-integration-with-vmware/td-p/598118](https://community.rsa.com/t5/rsa-securid-access-discussions/rsa-securid-authentication-manager-integration-with-vmware/td-p/598118)

[https://docs.vmware.com/en/VMware-vSphere/6.7/vsphere-esxi-vcenter-server-672-platform-services-controller-administration-guide.pdf](https://docs.vmware.com/en/VMware-vSphere/6.7/vsphere-esxi-vcenter-server-672-platform-services-controller-administration-guide.pdf)


View Reddit by RedFoxVanceView Source

Related Articles

Leave a Reply

Close