000015111 - AM 6.1.x Replica rejecting user modify - How to generate Replica-Package for Linux

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015111
Applies ToAM 6.1 Authentication Manager 6.1.x 6.1.2 6.1.5
UNIX Linux Solaris AIX HP UX
Issue

Replica rejecting user modify Error updating user
Replica rejecting user modify


Error modifying record on replica

CauseInitial installation of primary / replica servers, replication appears normal. After performing server database dump file migration from alternate realm containing multiple replica servers, replication appears to be good from replica, but not from primary. Port 5505/TCP not listening on primary, verified with netstat -an, and telnet from replica.
ResolutionHow to generate replica package for AM 6.1 on Linux
Replica is known by short name, <replica>
Here?s the instructions for a new replica package for <replica>:
1)        Log into sdadmin
      a.        You must be logged in as an ACE admin
      b.        cd /opt/ace/prog
      c.        ./sdadmin
2)        Flag the Primary to NOT Push the database.
      a.        System Parameters > Edit System Parameters > Un-Check
Allow DB Push Assisted Recovery
3)        Remove any old replica_package directories from the
/opt/ace/data directory
4)        Stop the Primary ACE/Server
      a.        cd /opt/ace/prog
      b.        ./aceserver stop
      c.        ./sdconnect shutdown
5)        Generate a NEW Replica Package
      a.        ./sdrepmgmt delete       <replica>
      b.        ./sdrepmgmt add           <add <replica> replica back, so that it will be without a Push DB recovery>
      c.        ./sdsetup -package
      d.        Specify the Replica, <replica> that you will generate this replica package for
6) Restart Primary Services
      a.        cd /opt/ace/prog
      b.        ./sdconnect start
      c.        ./aceserver start
7)        Stop the Replica Server.
      a.        cd /opt/ace/prog
      b.        ./aceserver stop
      c.        ./sdconnect shutdown
8)        Copy the replica_package with sub folders ( license and database) to the Replica.  You can store the replica_package directory in any directory on the Replica Host
         a.    Apply the replica package
            i.        cd /opt/ace/prog
            ii.        ./sdsetup -apply_package pathname
            iii.        ./sdinfo | more
                      1.        You should see that the field PRIMARY ACE SERVER reflects the hostname of the Primary ACE/Server.
                      2.        You should see that the field THIS SERVER reflects the hostname of the Replica ACE/Server.
9)        Start the Replica Server
      a.        cd /opt/ace/prog
      b.        ./sdconnect start
      c.        Open a real-time activity log on the Primary
              i.        Open another session to the host
              ii.        cd /opt/ace/prog
              iii.        ./sdlogmon ?t
              iv.        Go back to your original session and continue with the Primary startup.
      d.        ./aceserver start
      e.        We should begin to see messages in both the Primary and that particular Replica logs that the two connect.  At this time, you should be sure that your Sequence numbers are the same
on both of those machines with an ./sdrepmgmt list on both hosts.
Run sdrepmgmt list on primary and look at replica 0 (The primary server). Service port number should read as 5505. If the service port does not read as 5505, the replica management table must be modified using the RSA Authentication Manager Replica Management program (sdrepmgmt).

Remove the replica server that came in with dmp file during import (alternate realm primary, listed as replica 1) using:

prog#./sdrepmgmt -repmgmt delete

with only the primary server existing in the replica management table, using the following to change the service port of the primary server:

prog#./sdrepmgmt modify

Choose defaults, but change the service port number to be 5505.

Then generate a new server database dump file, so that the imported server database elements (users, tokens, agent hosts) can be saved without the corrupt replica management table:

prog#./sddump -s

Copy both the newly generated sdserv.dmp from /prog and the existing licence.rec from /data to a designated location such as /tmp. Then clear out the primary server database using the following:

prog#./sdnewdb (choosing defaults)

prog#./sdrepmgmt add (choosing defaults)

prog#./sdcreadm (will add administrator account into server DB that you are currently logged in with)

Place both saved files (sdserv.dmp and license.rec) into the /prog directory, and import the saved sdserv.dmp using:

prog# ./sdload -s -m -k license.rec

Add replica to replica management table:

prog#./sdrepmgmt add (adding replica server fully qualified name and IP)

Then verify that the primary and replica server both exist in the replica management table, with 5505 as the primary (replica 0) service port, and 5506 and the replica (replica 1) service port:

prog#./sdrepmgmt list should produce output similar to:

RSA Authentication Manager Replica Management 6.1 [299]
                     Copyright (c) 1994-2005
                        RSA Security Inc.
 
 
Replica 0:      mperez-vm82.na.rsa.net
                IP Address:                             10.101.102.82
                Replica Service Name:                              securidprop_00
                Service Port Number:                                5505
                Startup Delay Interval:                             0
                Replication Interval:                                 100
                Enabled:                                                   1
                Primary:                                                    1
                Connected:                                               0
                Replica Marked For Unconditional Push:   0
                Replica Sequence Number:                       9
                Alias 1:
                Alias 2:
                Alias 3:
 
 
 
Replica 1:      mperez-vm83.na.rsa.net
                IP Address:                               10.101.102.83
                Replica Service Name:                               securidprop_01
                Service Port Number:                                5506
                Startup Delay Interval:                             10
                Replication Interval:                                  100
                Enabled:                                                    1
                Primary:                                                     0
                Connected:                                               0
                Replica Marked For Unconditional Push:   0
                Replica Sequence Number:                       10
                Alias 1:
                Alias 2:
                Alias 3:

----------------------------------------

Follow steps for generating replica package and apply this to the replica server, and verify replication is good.

 

Legacy Article IDa54540

Attachments

    Outcomes