Remote AFX Server does not start, there is a SocketException in esb.AFX_INIT.log, and OpenSSL cannot complete an SSL Handshake in RSA Identity Governance & Lifecycle

« Go Back

Header

Title	Remote AFX Server does not start, there is a SocketException in esb.AFX_INIT.log, and OpenSSL cannot complete an SSL Handshake in RSA Identity Governance & Lifecycle

URL Name	Remote-AFX-Server-does-not-start-there-is-a-SocketException-in-esb-AFX-INIT-log-and-OpenSSL-cannot-complete-an-SSL-Handshake-in-RSA-Identity-Governance-Lifecycle

Summary	Remote AFX Server does not start, there is a SocketException in esb.AFX_INIT.log, and OpenSSL cannot complete an SSL Handshake in RSA Identity Governance & Lifecycle

Validation Status	Work in Progress

Age	1,360.87

Article Content

Translate To

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.x, 7.1.x, 7.2.0

Issue

The RSA Identity Governance & Lifecycle remote AFX (Access Fulfillment Request) Server fails to start and is unable to communicate with the RSA Identity Governance & Lifecycle application server.

SYMPTOMS:

The following message is logged to the $AFX_HOME/esb.AFX_INIT.log file.

2020-08-05 15:56:34.877 [ERROR] com.aveksa.afx.server.init.SubmitInitializationRequestComponent:156 - 
Error submitting initialization request to RSA Identity Governance and Lifecycle server! 
2020-08-05 15:56:34.878 [ERROR] com.aveksa.afx.server.init.ServerInitializationComponent:79 - 
Server initialization failed! 
Please correct the issue and restart AFX. org.mule.api.transport.DispatchException: 
Failed to route event via endpoint: 
DefaultOutboundEndpoint{endpointUri=https://server.domain.com:8444/aveksa/afx/initialization ... 
Caused by: java.net.SocketException: Connection reset

The following message is logged to the $AFX_HOME/esb.AFX-MAIN.log file:

2020-08-05 15:56:35.812 [ERROR] org.mule.module.launcher.application.DefaultMuleApplication:361 - null
java.lang.IllegalArgumentException: Could not resolve placeholder 'afx.server.activemq.password' 
in string value "${afx.server.activemq.password}"

Ping and telnet show that RSA Identity Governance & Lifecycle is reachable from the remote AFX Server and is listening on port 8444.

If openssl is used to test the SSL bind on port 8444, the connection appears to succeed but no handshake is completed.

>openssl s_client -connect acm-702.vcloud.local:8444
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes

Cause

This issue may occur if a firewall rule on a customer network appliance is actively blocking SSL connections on port 8444.

This connection failure is similar to other SSL connection issues between AFX and RSA Identity Governance & Lifecycle except there are no additional details about the reasons for the SSL failure. The certificates may be correct but the SSL connection is being abandoned before the SSL handshake can be completed. The only failure is the SocketException.

A packet capture on the remote AFX Server will show that the SSL Client Hello is being sent to RSA Identity Governance & Lifecycle but the TCP transmission is being terminated by an RST packet inserted into the network stream.

1 2020-08-07 10:20:11.892861   10.10.10.1     56036  10.10.10.10     8444   TCP     76    56036 → 8444 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1845193795 TSecr=0 WS=512
2 2020-08-07 10:20:11.893467   10.10.10.10     8444   10.10.10.1     56036  TCP     68    8444 → 56036 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=512
3 2020-08-07 10:20:11.893484   10.10.10.1     56036  10.10.10.10     8444   TCP     56    56036 → 8444 [ACK] Seq=1 Ack=1 Win=29696 Len=0
4 2020-08-07 10:20:11.897759   10.10.10.1     56036  10.10.10.10     8444   TLSv1   303   Client Hello
5 2020-08-07 10:20:11.898108   10.10.10.10     8444   10.10.10.1     56036  TCP     62    8444 → 56036 [RST, ACK] Seq=1 Ack=248 Win=29696 Len=0

A packet capture on the RSA Identity Governance & Lifecycle server will show that the SSL Client Hello message did not reach the AFX Server and that the TCP transmission was terminated by an RST packet that was inserted into the network stream.

100 2020-08-07 11:04:54.437776    10.10.10.1      56870  10.10.10.10     8444   TCP     76    56870 → 8444 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=512
102 2020-08-07 11:04:54.438132    10.10.10.1      56870  10.10.10.10     8444   TCP     62    56870 → 8444 [ACK] Seq=1 Ack=1 Win=29696 Len=0
103 2020-08-07 11:04:54.442732    10.10.10.1      56870  10.10.10.10     8444   TCP     62    56870 → 8444 [RST, ACK] Seq=1 Ack=1 Win=29696 Len=0

Resolution

Have the network administrator remove the firewall rule preventing SSL binds to port 8444.

Workaround

Notes

Legacy Article ID 000039235

Article Settings

Audience	External

Article Source	Case

Original Article Author	Ian Staines

Original Created Date	8/14/2020 7:47 PM

Owner	Ian Staines

Article Assignment

Assigned To

Assigned By

Assignment Note

Assignment Due Date

Article Properties

Publication Status	Published

Article Type	Knowledge

Article Number	000043832

Created By	Ian Staines

Last Modified By	Venkata SamanthKumarAtchuta

Language	English