000030818 - Policy changes not taking effect

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030818
Applies ToAdaptive Authentication(On-Prem) v7.x(ALL)
OS Platform(All)
Application Server(All)
IssueWhen there is an issue with the backend database, policy refresh thread responsible for synchronizing AdaptiveAuthentication policies/rules in the database may get killed. Any changes performed to the policy/rule will not take effect and being ignored by AdaptiveAuthentication application. For example, user has been added to blacklist/whitelist etc account however it's not being denied/allowed by Online Banking(OLB) application.
When there are multiple AdaptiveAuthentication server instances(clusted environment) deployed in the environment, this issue can cause rule inconsistencies as rules may triggered differently between application servers.
  1. PolicyEngineOnlineUpdater thread runs every minute to refresh the policies from the database.
  2. After the execution of all the steps, thread sleeps for a minute.
  3. This time(for how long the thread should sleep) is taken from the configuration(database).
  4. This configuration is later stored in the cache. The default time set for this cache to be alive is 900 seconds.
  5. If database is down etc then after this time(900 seconds) the cache will become null. (As database connection is not available, it doesn't refresh)
  6. In this case thread gets killed.
ResolutionIn ideal scenario this is not a bug. If there is a database issue, AdaptiveAuthentication application server should also be restarted to resolve database connection issue.
For 7.1 SP0 P2, HF110 addresses the issue with policy refresh. Please contact RSA Customer Support to obtain the hot fix for your AdaptiveAuthentication(on-Prem) version.
WorkaroundAdaptiveAuthentication application server should be restarted to resolve database connection issue.
NotesHow to know whether your AdaptiveAuthentication application is effected by the issue?
1. Add user/account etc to blacklist/whitelist account and test whether user is still allowed/rejected to perform transaction.
2. Capture Java thread dump and review if PolicyEngineOnlineUpdater thread exists. If the policy refresh thread does not exist, the thread has died and any changes to policies/rules will not take effect. For example the following is excerpted from Tomcat(java) thread dump. The thread is sleeping and should be able to synch policies/rules once awaken.
"pool-5-thread-3" prio=10 tid=0x00002af0ad838000 nid=0x2fbf waiting on condition [0x00002af0b260c000]
   java.lang.Thread.State: TIMED_WAITING (sleeping)
        at java.lang.Thread.sleep(Native Method)
        at com.rsa.csd.pe.PolicyEngineOnlineUpdater.run(PolicyEngineOnlineUpdater.java:113)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
        at java.util.concurrent.FutureTask.run(FutureTask.java:262)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:744)