000029151 - RSA Access Manager elects two master keyservers

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029151
Applies ToRSA Product Set: ClearTrust
RSA Product/Service Type: Access Manager
RSA Version/Condition: 5.5.3 EOPS Reached
Platform: Windows
Platform (Other): null
O/S Version: 2003 Server
Product Name: RSA-0010020
Product Description: Access Manager

Customers are unexpectedly directed to the logon page during an SSO session
The RSA Access Manager aserver.log (or lserver.log) logs a larger than normal number of the following log events.  These occur more on some aservers than others.
sequence_number=356,2011-06-03 14:36:58:616 EDT,messageID=1031,client_ip_address=,client_port=1914,result_code=0,result_action=User Token Failed,result_reason=Token error

The RSA Access Manager dispatcher.log (lserver.log) shows the following log messages:
sequence_number=255,2012-08-30 04:04:49:85 BST,messageID=0,event_type=Error,description=Error handling client connection,error=java.lang.OutOfMemoryError
sequence_number=256,2012-08-30 04:04:55:22 BST,messageID=0,event_type=Error,description=Unknown error,error=java.lang.OutOfMemoryError
sequence_number=17,2014-11-29 15:50:15:556 GMT,messageID=-2,event_type=Internal Error,internal_error=java.io.EOFException
sequence_number=18,2014-11-29 15:50:19:540 GMT,messageID=-2,event_type=Internal Error,internal_error=java.net.SocketException: Connection reset

CauseThese errors in the dispatcher.log indicate that the dispacher JVM is unable to open any new sockets due to a resource limitation on the physical machine.  The keyserver must be able to open new sockets on port 5609 to conduct keyserver elections.  If the keyserver is unable to reach any of the other keyservers because it cannot open new sockets to conduct an election, it will assume that it is the only keyserver and it will elect itself as a master keyserver.   Even though it cannot contact the other keyservers for elections (this requires a new socket) the keyserver may still generate keys and these may be provided to clients that request them.  This can lead to a variety of errors.

Identify the reason for the resource limitation on the machine hosting the disptacher.  Restart the machine to free up resources.

If this issue occurs frequently there may be a socket leak (typically against another application) on the same machine that is using all the resources.
Upgrade to a 64 bit JVM and add memory.  This issue is rarely seen on modern systems.