|There is a troubleshotting guide available at https://sftp.rsa.com/human.aspx?Username=support&password=Password1&arg12=downloaddirect&transaction=signon&quiet=true&arg01=659750889|
Make sure of the following:
- You have enabled Sun LTO-4 integration via RKM Admin console under Settings --> Enable LTO-4
- You have provided the hostname and IP addresses of the appliances in the "Change Discovery" page
- You have run the script /opt/rsa/setup/sh/enableLto4.sh on all appliances. Note: There is a known issue (KMA-1184) where you should provide "127.0.0.1" instead of the appliance's physical IP address
- Check the bottom of the file /etc/httpd/conf/http.conf. Make sure the two following lines do NOT have the appliance's physical IP address, but "127.0.0.1" or "localhost"
ProxyPass / http://localhost:8080/KMS/services/KMS_CA
ProxyPassReverse / http://localhost:8080/KMS/services/KMS_CA
- If your server certificate is not issued by a Root CA but rather by a Sub CA,
1. make sure Apache is sending its chain properly. Hit https://youAppliance.domain.com/status/certs.jsp and you should see something like the following in the "SSL Handshake Test" section:
0 s:Subject DN of your web server certificate
i:Issuer DN of the web server certificate
1 s:Subject DN of the web server's issuer
i:Issuer DN of of the web server's issuer
2 s:Subject DN of the certificate above
i:Root CA Subject DN
2. Apache's Trusted CA file must contain the Sub CA certificate
- In RKM Admin console, under Settings --> Change Server CA, you should provide the Root CA certificate.
- You have imported PKCS#12 via Settings --> Manage Certificates
- You have created a Key class of type AES - 256 - CBC - New Key Each Time - Allow Auto-generation
- You have created ONE auto-registration profile PER DRIVE, each drive using the registration profile name for its Agent ID
- The P12 file must contain a valid SSL client certificate. If it has only SSL Server Authentication Enhanced key Usage the SSL handshake will fail.