000011769 - RCM CRL not being generated automatically per crl timer configuration

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000011769
Applies ToRSA Certificate Manager 6.8
RSA Certificate Manager 6.8 HA
Microsoft Windows Server 2003 SP2
ADAM High Availability
Certificate Revocation List (CRL)
IssueRCM CRL not being generated automatically per crl timer configuration

From the trace.log, observed the following error in various places:

2011/01/03 13:32:20 ldap 1556 2884 D:\RCM\CERTMGR-3837\strong-sentry\ldap\ldap-3.3-hodges\servers\slapd\crltimer.c:4016 Automatic complete CRL generation Failed.


If RCM is configured with an external LDAP (i.e., only one instance of RCM), crl timers are disabled by default. To use crl timers, please follow the steps in "Using Revocation List Timers with HighAvailability" section on page 212 of RSACertificateManagerAdministratorsGuide.

In "High Availability Configuration - Revocation List Generators" configuration, we can configure values for primary instance and Health check period even if secondary is not configured for HA.

CauseProblem in configuring HostName (FQDN) and Secure Directory server secure port in Revocation List Timers - High Availability. Configured Details are Primary HostName:rcm1.acme.com Port:636.
ResolutionFor RCM CRL H/A configuration, in most scenarios using FQDN for the primary host works fine.  However, depending on the host machine's network configuration, RCM might detect the hostname to be a FQDN or a short hostname.
In this situation, using short hostname (i.e., rcm1), instead of the FQDN, as the primary HostName resolved the issue.
NotesRefer to article Revocation List Timers - High Availability not working for a tool that can help find out the hostname string that RCM would come up with during startup.
Legacy Article IDa53778