000014094 - RSA Authentication Manager 7.1 Node Manager service does not start

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014094
Applies ToRSA Authentication Manager 7.1
IssueRSA Authentication Manager 7.1 Node Manager service does not start

Error: "failed hostname verification check"  appears in nodemanager_winservice.log file. The nodemanager_winservice.log file is located at
C:\Program Files\RSA Security\RSA Authentication Manager\appserver\weblogic\common\nodemanager\logs\nodemanager_winservice.log
Example:
javax.net.ssl.SSLKeyException: [Security:090504]Certificate chain received from sec-ace-p01 - 10.183.1.1 failed hostname verification check. Certificate contained sec-ace-p01.soka-bau.de but check expected sec-ace-p01
INFO | jvm 1 | srvmain | 2009/02/17 21:19:04 | <17.02.2009 21.19 Uhr CET> <Warning> <Security> <BEA-090482> <BAD_CERTIFICATE alert was received from sec-ace-p01 - 10.183.1.1. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.> 


 


You will notice several  connections using port 5556/tcp in CLOSE_WAIT or FIN_WAIT_2 status when you run netstat -an | find "5556"
Notes

If the hostname is resolved to a different name other than the name specified at the time of installation of RSA Authentication Manager 7.1, the service RSA Authentication Manager Node manager will not start. If a fully qualified hostname is specified at the time of installation and the hosts file is modified inadvertently, and a short hostname is listed, RSA Authentication Manager Node Manager service will not start. Also verify the hostname in reverse DNS is correct  by typing:


nslookup  (the IP address, NOT the name of the RSA Server)


 

The hostname specified at the time of installation can be identified by following steps.


1. Run below command on command line:


C:\Program Files\RSA Security\RSA Authentication Manager\utils>rsautil manage-secrets -a listall


2. The output of above command will give several fields with corresponding values. Note the value for Identity Certificate Key Store Password


   Example: Identity Certificate Key Store Password ....: IJ47waYN6x


   The above value will be used in next step.


3. Run below command on command line:


C:\Program Files\RSA Security\RSA Authentication Manager\appserver\jdk\bin>keytool -list -keystore "C:\Program Files\RSA Security\RSA Authentication Manager\server\security\<servername>.jks" -storepass (password) -v


Example:


C:\Program Files\RSA Security\RSA Authentication Manager\appserver\jdk\bin>keytool -list -keystore "C:\Program Files\RSA Security\RSA Authentication Manager\server\security\bedweiser.jks" -storepass IJ47waYN6x -v


Note: In the above command "bedweiser.jks" is the file name with the server name in security folder. Please verify the file name in C:\Program Files\RSA Security\RSA Authentication Manager\server\security\  and replace with the file name from your server.


The field "OWNER : CN= " will confirm the actual hostname specified at the time of installation. Please see below a portion of sample output of above command:


Alias name: rsa_am_key
Creation date: Jul 3, 2008
Entry type: keyEntry
Certificate chain length: 2
Certificate[1]:

Owner: CN=bedweiser.na.rsa.net         < ............. Note the value. Please see the value in your output.
Issuer: CN=RSA Authentication Manager Root CA
Serial number: -1e04e2a691000fb88871c25d9302a633
Valid from: Wed Jul 02 14:58:08 EDT 2008 until: Fri Jul 03 14:58:08 EDT 2048
Certificate fingerprints:
         MD5:  2B:B7:59:40:81:D3:69:73:DE:F7:F9:DA:58:B8:4B:2D
         SHA1: 51:F2:BD:62:84:22:BE:87:F9:66:65:C4:3C:DB:B1:AC:3F:7A:01:55
Certificate[2]:
Owner: CN=RSA Authentication Manager Root CA
Issuer: CN=RSA Authentication Manager Root CA
Serial number: 3d8e2693d30cb89fa9542efe1d71dd8b
Valid from: Wed Jul 02 14:58:06 EDT 2008 until: Fri Jul 03 14:58:06 EDT 2048
Certificate fingerprints:
         MD5:  BD:BB:BE:49:67:22:4B:91:58:FB:F8:73:C3:E3:EA:60
         SHA1: 82:51:2F:F9:B8:43:D7:D7:33:65:8D:3E:14:90:09:1F:AF:A1:CB:11


Edit the /etc/hosts file and DNS. Make sure to match the hostname as listed in the above output. Start RSA Authentication Manager Node Manager service. See also RSA Authentication Manager Node Manager fails to start

Legacy Article IDa45896

Attachments

    Outcomes