000026387 - How to run 125 or more Remote Administration sessions to RSA ACE/Server 6.1.2

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026387
Applies ToRSA ACE/Server
Remote Administration
UNIX (AIX, HP-UX, Sun Solaris, Solaris)
IssueHow to run 125 or more Remote Administration sessions to RSA ACE/Server 6.1.2
What is the maximum number of Remote Admin sessions that RSA Authentication Manager 6.1 will support?
Error: "Cannot connect with administration server"
After successful authentication with remote administration, the error appears in a dialog box " The server or the system has no more resources. Try a larger -n. [748]. The above mentioned errors appear in syslog file on the server.
Error: "The server or the system has no more resources. Try a larger -n. (748)"
Error: "This account does not have permission to access the log database" appears while trying to run sdadmin on the ACE/Server
Error: "This Account does not have permission to access the log database"
ResolutionRecommended configuration for 125 Remote Admins.
    
-n 125    # Maximum Clients Total
-Mi 6      # Minimum Clients per Server
-Ma 6     # Maximum Clients per Server
-Mn 42   # Maximum number of Servers
 
To achieve more remote admin sessions increase the -Mn and -n values, e.g. for 250 Remote Admins use   -n 250   and  -Mn 84


WorkaroundEdit /opt/ace/rdbms/startup.pf in Linux or C:\Program Files\RSA Security\RSA Authentication Manager\rdbms32\startup.pf in Windows
It does not appear necessary to modify /opt/ace/prog/sdserv.pf or  /opt/ace/prog/sdlog.pf    which are only in Linux
NotesIf you need to allocate ports through a Firewall, Progress introduced the - minport and -maxport switches.  The default -minport is 3000 on Windows (1025 Unix), largest supported -Maxport is 5000 in Windows (2000 Unix).  Be careful if you implement these switches as you could limit the number of remote admin clients.  for Example the following configuration
   -n 200
   -minport 3000
   -maxport 3100
   -Mi 6
   -Ma 6
   -Mn 66
Would allow up to 200 Remote Admin connections through 66 Servers with 6 connections each, but the Maxport would limit the ACE server responses to 100, effectively cutting your Remote Admin configuration in half


Please note that the -n value is dependent upon semaphore configuration values in the kernel. Remote Administration does not use Shared Memory, however, the flags are preallocated because the same processes could be used locally to support other services which would use shared memory and semaphores on single processor systems.

AutoRegistration, RSA standalone RADIUS for Windows and Remote Administration all use the sdadmind process.

The default limit on Solaris is 43 remote admin sessions, without the following modification. The limit occurs because the default number of file handles allowed the shell is 64.
On HP, the default is 60. Use the following modification.
On AIX, the default is 2000, so there should be no need for concern.

There is an additional modification to your system which needs to take place. The change needs to be in effect in the shell from which you launch the "sdconnect start" command. This change is necessary because the sdadmind executable is launched through the sdconnect script. The command is "ulimit -n  1000" if you are using the Bourne shell (sh). This allows processes launched from a given shell to open 'n' file handles. You can determine the current value by doing "ulimit -n".
You can run "man ulimit" to learn about doing this procedure in other shells.
Because this is a shell level variable, it is necessary for the system administrator to decide how to implement the modification for it to be both situationally appropriate and permanent.

    * Same as semmns

Also see Calculate kernel parameters for Remote Administration
Legacy Article IDa486

Attachments

    Outcomes