000039196 - Web Tier status offline/Reinstall status changes to pending connection for RSA Authentication Manager 8.4

Document created by RSA Customer Support Employee on Aug 6, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039196
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4.0, 8.4.0.7.0, 8.4.0.13.0
Platform: Linux
Platform (Other): Web Tier
O/S Version: SUSE Linux 11.4, RHEL 7.x on Web Tier
IssueThe RSA Authentication Manager Web Tier status is changed to offline, while some Web Tiers still work.
 
pending


Other symptoms show in the AdminServer, biztier and console logs on RSA Authentication Manager, as shown in the log snippets below:

2020-08-01 17:54:33,032, [[ACTIVE] ExecuteThread: '30' for queue: 'weblogic.kernel.Default (self-tuning)'],
(WebTierConfigurationAdministrationImpl.java:367),
trace.com.rsa.authmgr.internal.admin.webtier.impl.WebTierConfigurationAdministrationImpl,
ERROR, <Primary.com>,,,,Fail to Pack Webtier Customization to latest versioncom.rsa.authmgr.internal.admin.webtier.WebtierConfigurationsPackageException:
Fail to Pack Webtier Customization to latest version



Aug 1, 2020 5:22:35,436 PM EDT> <Notice> <Security> <'primary'> <biztier> <[ACTIVE] ExecuteThread: '3' for queue:
'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <BEA1-2215EA2996AC4262E80E> <6a0372a1-bc44-4226-81b9-4a0b61d65179-00000055>
<1596316955436> <[severity-value: 32] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-090171>*
<Loading the identity certificate and private key stored under the alias server_identity_key_webserver
from the jks keystore file /opt/rsa/am/server/security/biztier-identity.jks.>*



Aug 1, 2020 5:22:35,436 PM EDT> <Notice> <Security> <'primary'> <biztier> <[ACTIVE] ExecuteThread: '3' for queue:
'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <BEA1-2215EA2996AC4262E80E> <6a0372a1-bc44-4226-81b9-4a0b61d65179-00000055>
<1596316955436> <[severity-value: 32] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-090171>*
<Loading the identity certificate and private key stored under the alias server_identity_key_webserver
from the jks keystore file /opt/rsa/am/server/security/biztier-identity.jks.>*



2020-08-01 18:42:27,540, [[ACTIVE] ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'], (WebTierConfigurationAdministrationImpl.java:543),
trace.com.rsa.authmgr.internal.admin.webtier.impl.WebTierConfigurationAdministrationImpl, INFO, <Primary.com>,,,,Exception in thread "main" :
error running fixcrlf on file /opt/rsa/am/config/src/scripts/Config.groovy.orig



2020-08-01 18:42:27,552, [[ACTIVE] ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'], (WebTierConfigurationAdministrationImpl.java:543),
trace.com.rsa.authmgr.internal.admin.webtier.impl.WebTierConfigurationAdministrationImpl, INFO, <Primary.com>,,,,
Caused by: java.io.FileNotFoundException: /opt/rsa/am/config/src/scripts/Config.groovy.orig (Permission denied)


Also, the Web Tier directory /opt/RSASecurity/RSAAuthenticationManagerWebTier/server does not exist. It is created during Web Tier update.
CauseWhen following article 000037358 - Increase biztier and console heapsizes to address console memory allocation errors for RSA Authentication Manager 8.3 and higher, the user made a backup copy of /opt/rsa/am/config/src/scripts/config.groovy as the root user rather than as the rsaadmin user. A permissions issue on files in /opt/rsa/am/config/src/scripts/ prevents an update of the Web Tiers, and causes the Web Tiers to be offline or have a connection status of Pending.

Config_groovy_orig

The cause of the Web Tiers failing to update is that the file Config.groovy.orig file, which is owned by root, therefore, it cannot be read by rsaadmin.  Even though this is a backup file, it is still found in this /opt/rsa/am/config/src/scripts/ directory, and causes this particular problem
ResolutionTo correct the issue,
  1. Elevate to the root user.
  2. Delete or move the Config.groovy.orig file to a different directory path. 


mv Config.groovy.orig /tmp


  1. Optionally, change ownership and group on the file to rsaadmin.


chown rsaadmin:rsaadmin Config.groovy.orig



  Config_groovy_orig_chown

Immediately after /opt/rsa/am/config/src/scripts/config.groovy.orig (owned by root, root) was removed from the RSA Authentication Manager primary server, all the Web Tiers started to change status to online, 
 
WT1

The /opt/RSASecurity/RSAAuthenticationManagerWebTier/server directory was created on Web Tiers:

Attachments

    Outcomes