000039235 - Remote AFX Server does not start, there is a SocketException in esb.AFX_INIT.log, and OpenSSL cannot complete an SSL Handshake in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Aug 15, 2020Last modified by RSA Customer Support Employee on Aug 15, 2020
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000039235
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.x, 7.1.x, 7.2.0
 
IssueThe RSA Identity Governance & Lifecycle remote AFX (Access Fulfillment Request) Server fails to start and is unable to communicate with the RSA Identity Governance & Lifecycle application server.

SYMPTOMS:
  • The following message is logged to the $AFX_HOME/esb.AFX_INIT.log file.  



2020-08-05 15:56:34.877 [ERROR] com.aveksa.afx.server.init.SubmitInitializationRequestComponent:156 -
Error submitting initialization request to RSA Identity Governance and Lifecycle server!
2020-08-05 15:56:34.878 [ERROR] com.aveksa.afx.server.init.ServerInitializationComponent:79 -
Server initialization failed!
Please correct the issue and restart AFX. org.mule.api.transport.DispatchException:
Failed to route event via endpoint:
DefaultOutboundEndpoint{endpointUri=https://server.domain.com:8444/aveksa/afx/initialization ...
Caused by: java.net.SocketException: Connection reset



  • The following message is logged to the $AFX_HOME/esb.AFX-MAIN.log file:



2020-08-05 15:56:35.812 [ERROR] org.mule.module.launcher.application.DefaultMuleApplication:361 - null
java.lang.IllegalArgumentException: Could not resolve placeholder 'afx.server.activemq.password'
in string value "${afx.server.activemq.password}"



  • Ping and telnet show that RSA Identity Governance & Lifecycle is reachable from the remote AFX Server and is listening on port 8444.

  • If openssl is used to test the SSL bind on port 8444, the connection appears to succeed but no handshake is completed.



>openssl s_client -connect acm-702.vcloud.local:8444
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes



 
CauseThis issue may occur if a firewall rule on a customer network appliance is actively blocking SSL connections on port 8444.

This connection failure is similar to other SSL connection issues between AFX and RSA Identity Governance & Lifecycle except there are no additional details about the reasons for the SSL failure. The certificates may be correct but the SSL connection is being abandoned before the SSL handshake can be completed. The only failure is the SocketException.

A packet capture on the remote AFX Server will show that the SSL Client Hello is being sent to RSA Identity Governance & Lifecycle but the TCP transmission is being terminated by an RST packet inserted into the network stream.




1 2020-08-07 10:20:11.892861   10.10.10.1     56036  10.10.10.10     8444   TCP     76    56036 → 8444 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1845193795 TSecr=0 WS=512
2 2020-08-07 10:20:11.893467   10.10.10.10     8444   10.10.10.1     56036  TCP     68    8444 → 56036 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=512
3 2020-08-07 10:20:11.893484   10.10.10.1     56036  10.10.10.10     8444   TCP     56    56036 → 8444 [ACK] Seq=1 Ack=1 Win=29696 Len=0
4 2020-08-07 10:20:11.897759   10.10.10.1     56036  10.10.10.10     8444   TLSv1   303  Client Hello
5 2020-08-07 10:20:11.898108   10.10.10.10     8444   10.10.10.1     56036  TCP     62    8444 → 56036 [RST, ACK] Seq=1 Ack=248 Win=29696 Len=0


A packet capture on the RSA Identity Governance & Lifecycle server will show that the SSL Client Hello message did not reach the AFX Server and that the TCP transmission was terminated by an RST packet that was inserted into the network stream.




100 2020-08-07 11:04:54.437776    10.10.10.1      56870  10.10.10.10     8444   TCP     76    56870 → 8444 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=512
102 2020-08-07 11:04:54.438132    10.10.10.1      56870  10.10.10.10     8444   TCP     62    56870 → 8444 [ACK] Seq=1 Ack=1 Win=29696 Len=0
103 2020-08-07 11:04:54.442732    10.10.10.1      56870  10.10.10.10     8444   TCP     62    56870 → 8444 [RST, ACK] Seq=1 Ack=1 Win=29696 Len=0


 
ResolutionHave the network administrator remove the firewall rule preventing SSL binds to port 8444.
 

Attachments

    Outcomes