000016596 - After some period of inactivity  RCM-API based application fails at the function call XudaLDAPFetch() with return code 35 (XrcWRITEFAILURE)

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016596
Applies ToRSA Certificate Manager API 6.8
Firewall between the host where RCM-API application is running and another host where the target RSA Certificate Manager is installed
IssueAfter some period of inactivity, RCM-API based application fails at the function call XudaLDAPFetch() with return code 35 (XrcWRITEFAILURE)
If the RCM-API application is restarted, it starts working fine without any issues (until a period of inactivity lapses, such as 30 minutes)
CauseXudaLDAPFetch would return XrcWRITEFAILURE if the underlying ldap fetch call returned LDAP_SERVER_DOWN; however, the  ldap fetch operation occurs AFTER getting a connection from the pool.  In the above scenario, the firewall dropped the RCM-API connection to RSA Certificate Manager Secure Directory Server after the configured timeout. In this situation RCM-API is unable to recover from such terminated connections.
ResolutionThis issue, where idle connections were being dropped by firewall and the Xuda API was found to not be able to recover from such terminated connections (regardless of configuring  XresKEEPLDAPOPEN setting), has been fixed in RCM-API version 6.8 build 522 (as well as in version 6.9 build 551).  In build 522, this problem has been fixed by setting the socket's TCP KEEPALIVE option if XresKEEPLDAPOPEN is set to 1.  This would keep LDAP connection open for extended periods of time, even through state full firewalls.

Update the application using RCM-API 6.8 build 522 (or later) and set XresKEEPLDAPOPEN to 1.
WorkaroundA web portal (java servlet) was developed using JNI in combination with RSA Certificate Manager API (C library). Certificate requests are sent to the web portal and are forwarded via the XUDA API to the CA.
NotesCMAPI-188
Legacy Article IDa60222

Attachments

    Outcomes