CA TSS and CA AAM RADIUS Configuration with Attachmate Reflection for the Web.
Article ID: 98061
Updated On:
Products
Top Secret
Top Secret - LDAP
Issue/Introduction
'CA TSS and CA AAM RADIUS configuration with Attachmate Reflection for the Web' problem, i.e. it appears
not to work?
Environment
Release:
Component: TSSMVS
Component: TSSMVS
Resolution
This was related to 'DNS Lookup'. CA 'Lookup-related' calls coded are ok, but the third-party API code used
for Radius Client cause the problem, i.e. design limitation of the API code. Very early in the RADIUS Client
constructor in the API is the following line of Java code:
InetAddress localHost = InetAddress.getLocalHost();
...the getLocalHost() function does a Reverse Lookup of the RADIUS Client machine’s IP Address using the
Naming Service configured in the Operation System, for example, DNS. By the API's design, if the Routine
can't resolve the Name, the code gives the RuntimeException() encountered. In this particular case, it can't
resolve the Host Name for the Local Machine of the RADIUS Client, 'SYSC', and the API code gave the
exception. This exception stops that instance of the RADIUS Client from instantiating any further, and since
no Client's ever instantiate, no communication ever occurs to the RADIUS Server. The limitation is this code
is unavoidable. It's used to set the NAS-ID Attribute of the RADIUS Packets we send to the RADIUS Server.
This is coded in their API and can't be overridden. The options are:
1.) Setup DNS Lookup for 'SYSC' so the Lookup succeeds.
2.) Setup /etc/hosts File in USS so the Lookup succeeds for 'SYSC'.
...so the question becomes, do your PCI requirements prevent you from doing DNS setup for this machine? If
"yes", Option 2 might be the best course of action and probably quicker. End result: once they defined 'sysc'
as Local Host, they were able to Authenticate using AAM/MFA.
for Radius Client cause the problem, i.e. design limitation of the API code. Very early in the RADIUS Client
constructor in the API is the following line of Java code:
InetAddress localHost = InetAddress.getLocalHost();
...the getLocalHost() function does a Reverse Lookup of the RADIUS Client machine’s IP Address using the
Naming Service configured in the Operation System, for example, DNS. By the API's design, if the Routine
can't resolve the Name, the code gives the RuntimeException() encountered. In this particular case, it can't
resolve the Host Name for the Local Machine of the RADIUS Client, 'SYSC', and the API code gave the
exception. This exception stops that instance of the RADIUS Client from instantiating any further, and since
no Client's ever instantiate, no communication ever occurs to the RADIUS Server. The limitation is this code
is unavoidable. It's used to set the NAS-ID Attribute of the RADIUS Packets we send to the RADIUS Server.
This is coded in their API and can't be overridden. The options are:
1.) Setup DNS Lookup for 'SYSC' so the Lookup succeeds.
2.) Setup /etc/hosts File in USS so the Lookup succeeds for 'SYSC'.
...so the question becomes, do your PCI requirements prevent you from doing DNS setup for this machine? If
"yes", Option 2 might be the best course of action and probably quicker. End result: once they defined 'sysc'
as Local Host, they were able to Authenticate using AAM/MFA.
Feedback
Yes
No
Powered by
