000016784 - Upgrade to RCM 6.8 build 522 fails with error 'confirmXudadStartup: Failed to confirm Xudad start up'

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016784
Applies ToRSA Certificate Manager 6.8
Redhat Enterprise Linux
The RSA Certificate Manager installation being upgraded was previously upgraded from an older version 5.7 to version 6.8 build 517
An HSM is being used for some CA's, but the server SSL keys, System CA, and Admin CA are not based on HSM
BSAFE SSL-C Crypto-C ME libraries were properly installed on the RHEL system
IssueUpgrade to RCM 6.8 build 522 fails with error "confirmXudadStartup: Failed to confirm Xudad start up"
When upgrading RCM 6.8 build 517 on Solaris to 6.8 build 522 on Redhat Linux, the upgrader fails with the following error in upgrade.log:

2012.07.31-15:11: --------------------------------------------------------
2012.07.31-15:11:                 B E G I N   I N S T A L L
2012.07.31-15:11: --------------------------------------------------------
2012.07.31-15:11: Reading command line configuration file...
2012.07.31-15:11: Processing old Log Server configuration file...
2012.07.31-15:11: Processing old Directory configuration file...
2012.07.31-15:11: Processing old Administration configuration file...
2012.07.31-15:11: Processing old CMP Server configuration file...
2012.07.31-15:11: Creating directories in new installation...
2012.07.31-15:11: Copying server certificates and keys...
2012.07.31-15:12: Configuring Secure Directory Server...
2012.07.31-15:12: Indexing database...
2012.07.31-15:12: This may take a while. Please be patient.
2012.07.31-15:12: confirmXudadStartup: Caught XDK Exception.
--- confirmXudadStartup: Failed to confirm Xudad start up
2012.07.31-15:12: Install: Caught XDK Exception.
--- confirmXudadStartup: Failed to confirm Xudad start up
CauseThe upgrader failed due to RCM Secure Directory Server (Xudad) not starting up properly as its server SSL keys were based on DSA and the cipherlist did not allow DSA.
ResolutionFollow the steps below as a workaround to complete the upgrade successfully:

1. After unpacking the full RCM upgrader installation package, modify the cipher list:

Edit <installdir>/RSA_CM/Xudad/dist/xudad.conf, change the value of cipherlist from

EDH-RSA-AES256-SHA

to

RC4-SHA:EDH-DSS-DES-CBC3-SHA

2. Start the upgrade process (using package.tar generated from source RCM installation)
NotesFor future upgrades to later versions of RSA Certificate Manager, it is recommended that the DSA-based System CA, Admin CA, and server SSL keys should be regenerated to make them RSA based.
CERTMGR-4154
CERTMGR-4216
Legacy Article IDa60498

Attachments

    Outcomes