000029799 - Replica promotion fails in pre-promotion check in RSA Authentication Manager 8.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029799
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1
Platform: SuSE Linux
IssueAuthentication Manager 8.1 supports Promotion for maintenance.  However, in the pre-promotion check process the system returns the error below in Replica's Operations Console, which is also shown in the server/logs/Planned-Promotion-Precheck-xxxxxxxxx.log file.
============================================
Checking that services are running on this instance...
SUCCESS.
Checking Replication Status on this instance...
SUCCESS.
Checking that the primary instance is reachable and healthy...
-- Attempting to reach the Operations Console on the primary instance: lab.test.com...
Checking that all instances are reachable and healthy...
-- Checking continueonerror replication state on: lab.test.com...
-- Checking replication status of replica instances and reachability to other replica instances...
ERROR: The Operations Console on the primary instance is not reachable to check replication status or reachability with other replica instances.
Checking replication status of all RADIUS servers ...
ERROR: Could not access HTTP invoker remote service at [https://lab.test.com:7072/operations-console/dispatcher/HttpInvokerPlannedPromotion]; nested exception is javax.net.ssl.SSLException: Certificate not verified.
Checking that no backup job is currently scheduled on the primary instance: lab.test.com...
ERROR: Could not access HTTP invoker remote service at [https://lab.test.com:7072/operations-console/dispatcher/HttpInvokerPlannedPromotion]; nested exception is javax.net.ssl.SSLException: Certificate not verified.
Checking that no conflicting operations are currently in progress on the primary instance: naqrsapixp1.na.discoverfinancial.com...
ERROR: Could not access HTTP invoker remote service at [https://lab.test.com:7072/operations-console/dispatcher/HttpInvokerPlannedPromotion]; nested exception is javax.net.ssl.SSLException: Certificate not verified.
Checking available disk space on the primary instance lab.test.com...
Checking that the RSA Authentication Manager software version is the same between this instance and the primary instance...
ERROR: The software version of this instance does not match the software version of the primary instance.
Verify the software version and apply any necessary update to an instance. To view or update the software version, in the Operations Console, click Maintenance > Update & Rollback.
Done
============================================


The server/logs/ops-console.log  file also shows the following error:
 
============================================
@@@2015-03-08 15:35:58,971 ERROR [PlannedPromoteReplicaPrereqCheck] GUILog.traceException(587) | exception: 
com.rsa.ims.operationsconsole.admin.taskmgr.TaskExecutionException: Error in checking primary instance healthy status: 
    at com.rsa.ims.operationsconsole.admin.promote.planned.tasks.CheckOriginalPrimaryHealthyTask.execute(CheckOriginalPrimaryHealthyTask.java:160)
    at com.rsa.ims.operationsconsole.admin.taskmgr.TaskManager.executeTasks(TaskManager.java:42)
    at com.rsa.ims.operationsconsole.admin.impl.OCManageReplicationImpl$1PlannedPromotePrereqCheckSiteThread.run(OCManageReplicationImpl.java:1101)
    at java.lang.Thread.run(Thread.java:680)
Caused by: org.springframework.remoting.RemoteAccessException: Could not access HTTP invoker remote service at [https://lab.rsa.com:7072/operations-console/dispatcher/HttpInvokerPlannedPromotion]; nested exception is javax.net.ssl.SSLException: Certificate not verified.
    at org.springframework.remoting.httpinvoker.HttpInvokerClientInterceptor.convertHttpInvokerAccessException(HttpInvokerClientInterceptor.java:212)
    at org.springframework.remoting.httpinvoker.HttpInvokerClientInterceptor.invoke(HttpInvokerClientInterceptor.java:145)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
    at com.sun.proxy.$Proxy69.isServerRunning(Unknown Source)
    at com.rsa.ims.operationsconsole.admin.promote.planned.tasks.CheckOriginalPrimaryHealthyTask.checkOriginalPrimaryAllServersStatus(CheckOriginalPrimaryHealthyTask.java:53)
    at com.rsa.ims.operationsconsole.admin.promote.planned.tasks.CheckOriginalPrimaryHealthyTask.execute(CheckOriginalPrimaryHealthyTask.java:124)
    ... 3 more
Caused by: javax.net.ssl.SSLException: Certificate not verified.
    at com.rsa.sslj.x.aG.b(Unknown Source)
    at com.rsa.sslj.x.aG.a(Unknown Source)
    at com.rsa.sslj.x.aG.a(Unknown Source)
    at com.rsa.sslj.x.ap.c(Unknown Source)
    at com.rsa.sslj.x.ap.a(Unknown Source)
    at com.rsa.sslj.x.ap.a(Unknown Source)
    at com.rsa.sslj.x.ap.a(Unknown Source)
    at com.rsa.sslj.x.am.write(Unknown Source)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
    at java.io.BufferedOutputStream.write(BufferedOutputStream.java:104)
    at org.apache.commons.httpclient.HttpConnection.write(HttpConnection.java:974)
    at org.apache.commons.httpclient.HttpConnection.write(HttpConnection.java:942)
    at org.apache.commons.httpclient.HttpConnection.print(HttpConnection.java:1032)
    at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.print(MultiThreadedHttpConnectionManager.java:1604)
    at org.apache.commons.httpclient.HttpMethodBase.writeRequestHeaders(HttpMethodBase.java:2046)
    at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1919)
    at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397)
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
    at org.springframework.remoting.httpinvoker.CommonsHttpInvokerRequestExecutor.executePostMethod(CommonsHttpInvokerRequestExecutor.java:196)
    at org.springframework.remoting.httpinvoker.CommonsHttpInvokerRequestExecutor.doExecuteRequest(CommonsHttpInvokerRequestExecutor.java:130)
    at org.springframework.remoting.httpinvoker.AbstractHttpInvokerRequestExecutor.executeRequest(AbstractHttpInvokerRequestExecutor.java:136)
    at org.springframework.remoting.httpinvoker.HttpInvokerClientInterceptor.executeRequest(HttpInvokerClientInterceptor.java:192)
    at org.springframework.remoting.httpinvoker.HttpInvokerClientInterceptor.executeRequest(HttpInvokerClientInterceptor.java:174)
    at org.springframework.remoting.httpinvoker.HttpInvokerClientInterceptor.invoke(HttpInvokerClientInterceptor.java:142)
    ... 8 more
Caused by: com.rsa.sslj.x.aJ: Certificate not verified.
    at com.rsa.sslj.x.bf.a(Unknown Source)
    at com.rsa.sslj.x.bf.a(Unknown Source)
    at com.rsa.sslj.x.bf.a(Unknown Source)
    at com.rsa.sslj.x.aG.a(Unknown Source)
    at com.rsa.sslj.x.aG.a(Unknown Source)
    at com.rsa.sslj.x.ap.c(Unknown Source)
    at com.rsa.sslj.x.ap.a(Unknown Source)
    at com.rsa.sslj.x.ap.a(Unknown Source)
    at com.rsa.sslj.x.ap.a(Unknown Source)
    at com.rsa.sslj.x.am.write(Unknown Source)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
    at java.io.BufferedOutputStream.write(BufferedOutputStream.java:104)
    at org.apache.commons.httpclient.HttpConnection.write(HttpConnection.java:975)
    at org.apache.commons.httpclient.HttpConnection.write(HttpConnection.java:943)
    at org.apache.commons.httpclient.HttpConnection.print(HttpConnection.java:1033)
    at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.print(MultiThreadedHttpConnectionManager.java:1604)
    at org.apache.commons.httpclient.HttpMethodBase.writeRequestHeaders(HttpMethodBase.java:2046)
    at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1920)
    at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397)
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
    at org.springframework.remoting.httpinvoker.CommonsHttpInvokerRequestExecutor.executePostMethod(CommonsHttpInvokerRequestExecutor.java:197)
    ... 13 more
Caused by: java.security.cert.CertificateException: the certificate chain is not trusted, Could not validate path.
    at com.rsa.sslj.x.ck.a(Unknown Source)
    at com.rsa.sslj.x.ck.checkServerTrusted(Unknown Source)
    at com.rsa.sslj.x.aD.a(Unknown Source)
    ... 37 more
============================================
ResolutionAuthentication Manager 8.1 supports Promotion for maintenance, which promotes a replica instance to a primary instance while the original primary instance is online and functioning. An Operations Console administrator can initiate promotion for maintenance from the Operations Console of the replica instance that is to be promoted. After promotion, the original primary instance is demoted to a replica instance.



Before promoting the Replica, the promotion process will try to connect the Primary's Operations Console and check the replication status. 
The key error/reason here is "The certificate chain is not trusted, Could not validate path".
Primary's Operations Console default self-signed certificate has been replaced. However the CA root certificate hasn't been imported into Replica. So replica cannot verify Primary's certificate, thus cannot connect to the Primary's Operations Console.
The solution is replace Replica's console certificate with the same certificate authority. Or at least import the CA root certificate into Replica.
Both are done in Operations Console > Deployment Configuration > Certificate.
 

 

Attachments

    Outcomes