000030200 - How to specify the SSL bind mode for DPM console to RSA Access Manager

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030200
Applies ToRSA Product Set: Key Manager
RSA Product/Service Type: Key Manager Server
RSA Version/Condition: 3.2
Platform: Windows
Platform (Other): null
O/S Version: 2008 Server R2 x64
Product Name: RSA-0010270
Product Description: RSA Application Data Protection
Issue

DPM fails to load the console and logs the following error in the key-manager-debug.log file
2015-04-27 09:07:13,995 ERROR ajp-bio-8009-exec-1 - Client : Internal, Failed to connect to AccessManager using host 'localhost' and port '5608'.
 


The following error is logged in the keymanager.log file indicating the client is attempting to communicate in CLEAR mode with the dispatcher. 



05 May 2015 15:22:06,427 1430864517816 INFO ajp-bio-8009-exec-1 - Client : Internal, Creating AxM connection with decriptor: localhost:5608:clear
 


The RSA Access Manager dispatcher in the dispatcher.log (or lserver.log) logs the following error message indicating that some unknown client on localhost is attempting to connect in CLEAR mode to the dispatchers ANON SSL listen port.
sequence_number=6,2015-04-29 11:09:05:695 PDT,messageID=0,event_type=Error,error=javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?,description=Error handling client connection from 127.0.0.1/127.0.0.1:49831


 



 

Resolution

The DPM console uses an RSA Acccess Manager runtimeAPI connection to validate users against RSA Access Manager aservers.



This module attempts to establish a TCP/IP connection to the dispatcher listen port on 5608.



The SSL mode of the DPM runtimeAPI client must match that of the RSA Access Manager system as defined in the dispatcher.conf file in the following setting:



cleartrust.net.ssl.use=anon
By default DPM 3.4 and earlier is hard coded to connect to the dispatcher in ANON SSL mode.  This is not configurable.
In DPM 3.5 this was changed so that the SSL mode could be selected between CLEAR and ANON modes.  If the DPM appliance is used all RSA Access Manager servers should be configured for CLEAR mode and the DPM appliance by default will use CLEAR.   If the DPM server is used the RSA Access Manger servers should be configured for ANON mode and the DPM configuration should be changed to support ANON mode.
The RSA Access Manager SSL mode is specified in a java system variable.  To set this pass the following command on the java command line.:
For clear mode set the axm_ssl system variable to CLEAR
-Daxm_ssl=CLEAR
For Anon set the axm_ssl system variable to ANON (or leave unset)
-Daxm_ssl=ANON
For RSA Key Manager server on Windows this is done via Tomcat's Window configuration tool. In Tomcat's install folder run tomcat6w.exe (notice the w in the filename).  Go to the Java tab, JVM option and at the same place you define "-Dkeymanager.working.dir=c:/your/KMS/conf", add a new entry with "-Daxm_ssl=anon".

 

Attachments

    Outcomes