RSA Auth Scheme Configuration error
search cancel

RSA Auth Scheme Configuration error


Article ID: 4770


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


While configuring RSA Auth Scheme on the policy server ,it keeps failing with the below errors : 

ERROR:[sm-LoginLogout-00850] SmAuthenticate: AceInitialization failed] 
ERROR:[sm-Server-02960] Failed to initialize authentication scheme 'RSA MFA Form'] (this is the name of my auth scheme) 

Cannot init Auth scheme. leave function.] 


Component: SMPLC


RSA How it works

- On linux ,we use the RSA libraries to make API calls to the RSA Authentication manager 

- On windows with older version of Policy server ,an RSA client was needed . With the newer policy server for windows ,what is needed is only the lib as on Linux . 


Steps required to configure RSA (Linux ):

*** RSA Authentication server Side --> 

- create an agent Host and Export the configuration in the format of sdconf.rec 

- within the sdconf.rec ,there is the RSA Auth Manager details to be used for registration of the policy server with the RSA Auth Manager 


*** Siteminder Side --> 

- copy the sdconf.ref to the siteminder installation dir under bin folder. 

- Make sure that the user starting the policy server has full permissions on the file . 

- Make sure the VAR_ACE and the USR_ACE are pointing to the bin folder ( not to lib even-though it has the RSA libraries). 


Once the above is completed ,the below needs to be done

1) Start a transaction from the Policy server to load the auth Scheme for the first time in order for the registration to complete with the RSA Auth Manager . 

2) Siteminder will use the RSA Auth Manager details within the sdconf.rec to complete registration with the RSA Auth Manager 

3) once RSA Auth Manager receives the request from Policy server ,it will have a flag indicating "Node Secret Sent" and send the reply to the policy server 

4) then ,on the policy server side there will be a file called "securid" created under bin which confirms that registration succeeded 

5) also there will be a file called "sdstatus.12" created under siteminder_home/bin which has the status of the communication with the RSA Auth Manager 


Troubleshooting :

If the RSA auth Scheme is failing to Initialize ,it can be due to the following 

Reason --> 

- Some client may use the sdconf.rec and test the connection via an RSA agent (not siteminder) 

- The RSA Auth Manager will mark the "Node Secret Sent" and the "securid" will be created under the location of the RSA agent used to test 

- The connection will succeed ,however ,when trying the same through Siteminder ,as the "securid" is not present under siteminder_home/bin ,then the initialization of the schema will fail . 

For this ,as a Next action ,please perform the below actions : 

1) Shutdown policy sevrer 

2) delete the Existing sdconf.rec ,securid and "sdstatus.12" if any 

3) On the RSA Auth Manager , unflag the "Node Secret Sent" 

4) copy the sdconf.rec to siteminder_home/bin 

5) set the VAR_ACE and the USR_ACE back to point to yoursiteminder_home/bin 

6) Start the Policy server 

7) Initiate the Transaction from the Policy server that will initialize the RSA auth scheme 

8) check if the securid and sdstatus.12 files got created under yoursiteminder_home/bin 


Once done ,the RSA Auth Scheme should initialize properly