Troubleshooting the Installation (Replicas)

To help you troubleshoot any problems that may occur during, or after, the installation, we have put together a series of frequently asked questions regarding SecurID authentication for an IBM i agent.

Q: How do I register an IBM i agent?
A: The IBM i agents are registered in the same manner as existing SecurID Agents. To do this you must use the Administration facility on the Authentication Manager (ACE/Server). For an IBM i agent the type must be specified as:

Q: Where is the "sdconf.rec" record stored?
A: The "sdconf.rec" record is held within the IBM i Portable Application Solutions Environment (PASE).  It is located under /var/ace/sdconf.rec

Q: Where is the node secret stored?
A: The node secret is stored within the IBM i Portable Application Solutions Environment (PASE).  It is located under /var/ace/securid

Q: How do I remove the node secret?
A: The node secret can be removed using one of the following:

1. Calling IBM i command:

   WRKLNK  OBJ('/var/ace/*')

2. Accessing PASE and calling AIX commands such as cd. rm etc
3. Using a mapped drive on a PC that has access to the /var/ace/ directory within IBM i Integrated File System (IFS)

1. The TCP/IP host name for the machine running IBM i (on the IBM i) must:
   1. begin with the system name of the machine running IBM i
   2. have the domain name as the suffix. For example:
      • System name: MYIBMI
      • Domain name: XYZ.COM
      • Host name must be: MYIBMI.XYZ.COM
   NOTE: If any changes are made within the TCP/IP configuration, on IBM i, TCP/IP must be re-started. The IBM i line description may also need to be "varied off" and "varied on".

When registering the IBM i agent with the RSA Authentication Manager (AM) the AM will be expecting the name and IP address for the IBM i to be the same as that referenced within the host table entries that are accessible by the AM. If, however, the IBM i entry in the main host table e.g. DNS is NOT correct, a local entry may be required to be configured, for the IBM i within the AM itself.  

Alternatively, configuration file /var/ace/sdopts.rec may be required on the IBM i.

The entry to be used is:

CLIENT_IP=< IP Address expected by AM >

where:
< IP Address expected by AM > is the IPV4 address that the AM is expecting the
IBM i will be sending data from e.g. 192.168.23.5

Such a situation may occur if using virtual address configuration and the IBM i data is being sent and/or routed using a different network interface to the one that is used to identify the IBM i.

NOTE: When creating or updating /var/ace/sdopts.rec ensure to use the ‘echo’ command within PASE. Maintaining the file on a platform such as Windows will most likely use different record line endings that are not expected by UNIX based systems such as IBM’s PASE.
2. The Authentication Manager (ACE/Server) services are not started. Please refer to the appropriate documentation for your Authentication Manager
3. The SecurID sever job, ACEDTIDS01 is not active
   • Review subsystem, ACEDTI
   • If the ACEDTI subsystem is currently active, run ENDACEDTI
   • To start the ACEDTI subsystem, run command, STRACEDTI

Q: How do I activate server job, ACEDTIDS01 ?
A: Use the SecurID “Work with TCP/IP port connections” menu option to configure the required port number.

Q: How do I activate SecurID authentication for IBM i sign on?
A: The authentication is activated at the profile level using one of the following for each profile:

1. Use DetectIT Agent for SecurID Maintenance to activate SecurID authentication
2. Include the ATHPRF command within the initial program of the IBM i profile

Q: No changes have been made to the profiles but the authentication screen does not appear!
A: For the SecurID authentication screen to be displayed the SecurID must be valid. If the software key has expired, the authentication routine is no longer active.