000016153 - Under CA Options on RRM  failure when downloading a CRL or CA

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016153
Applies ToRSA Registration Manager (RRM)
RSA Registration Manager 6.8
Microsoft Windows Server 2008 R2
IssueUnder CA Options on RRM, failure when downloading a CRL or CA
Browsing to the RM?s enrollment portal, select CA Options and try to download a CRL  - fails with this screen:

!LDAP Search():  [XrcXUDAUNABLE] unable to contact directory server.
Browsing to the RM?s enrollment portal, select CA Options and error occurs when attempt to download the CA Certificate:

send-ca-cert.xuda: Line 434: [XrcXUDAUNABLE] unable to contact directory server. Download CA certificate failed.
CauseRRM needs both ports 389 and 636 open to contact the RRM.
Port 389 is still used by RRM to get some objects from RCM.
Accessing CRL or CA certificate is not considered to be a secure operation (as those are signed objects) so RRM is using non-SSL port.
ResolutionThe following ports must be opened in the firewall to allow communication between RRM and RCM:

Protocol    Port    Transport    Notes
--------    ----    ---------    -----------------------------------------
LDAP         389       TCP       Used to access the XUDA Directory Server
LDAPS        636       TCP       LDAP over SSL

NOTE: This assumes the ports for RCM have not changed from default during the installation process
To only use LDAP over SSL (port 636) from RRM to RCM, comment out the following line in the send-ca-cert.xuda file:

[@secureRemote=no]
Legacy Article IDa57282

Attachments

    Outcomes