000019020 - 10% of authentications fail when a Replica is switched off and name locking (SD_Lock) is used

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000019020
Applies ToRSA ACE/Server 5.0 (no longer supported as of 8-15-2004)
RSA ACE/Agent 5.0
Sun Solaris 2.6
Microsoft Windows NT 4.0
Issue10% of authentications fail when a Replica is switched off and name locking (SD_Lock) is used
An environment is set up to test authentication against the ACE/Server using an application written with RSA ACE/Agent 5.0 API. The agent is configured to use name locking.
When one of the ACE/Server Replicas is stopped, to test 'fail-over', the Agent authentication fails with 'Access Denied.'
No logs are created on the Primary ACE/Server
CauseOn earlier versions of RSA ACE/Agent API, the SD_LOCK function would not work correctly. When the Agent contacts an ACE Replica that is down, the agent records the Replica's status in a file called sdstatus.12 to stop it from contacting that host again. In this instance, the file was not being updated, which caused the Agent to repeatedly contact the 'downed' host. As name locking is enabled, no other Replicas/Master will respond.
ResolutionThis problem is reported in the early releases of the RSA ACE/Agent API, issued to our Partners for compatibility testing of their Third Party Products. The problem has been resolved in build 623 of the RSA ACE/Agent API. Anyone who believes they have an earlier version should upgrade to the current release available from RSA Security.
Legacy Article IDa5220