000029578 - AxM :RSA  Access Manager Servers,  RSA WAS  TAI and FIPS

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029578
Applies ToRSA Product Set: ClearTrust
RSA Product/Service Type: Access Manager
RSA Version/Condition: 6.2
RSA Product/Service Type: Access Manager TAI for WebSphere 8.5

RSA Version/Condition: 5.0 SP1 
IssueSymptom on RSA Access Manager server side:
Servers fail to start or connect to webagents.
SSL errros  , Encrytion errors on startup.
Symptoms on WebSphere with TAI:
WebSphere may not start , cannot connect. 
If correct jars in place , when enabling FIPS on WebSPhere Console TAI cannot connect to dispatcher/asservers.
 
CauseSeveral causes , the presence of two conflicting jars in the install/classpath for both server side and TAI issues.
In TAI enabling Websphere FIPS  conflicts with Access Manager aserver dispatcher.
ResolutionResolution in a Question and Answer format.
QUESTION:    jcm-6.1.jar     and  jcmFIPS-6.1.jar  should not be in this directory at the same time should it?  Its either one or the other for FIPS support or not.
Yes, either jcm-6.1 or jcmFIPS-6.1 jar should be present. Not both.
In the TAI, once we retrieve the username from the cookie/header we create a runtimeAPI to validate the details.

QUESTION  what were the old 6.1 .0  jars  and the current.  Which replaced which?
With WAS v6.1, we supported only v4.7 Agents. There was no FIPS support in them.
We introduced FIPS in v4.7 SP1. Refer below -
With, AppAgentv5.0 and v5.0SP1 the following Bsafe jars were packaged- (Compatible FIPS Version  - Server v6.2/v6.2.1)
•    cryptojce-6.1.jar
•    cryptojcommon-6.1.jar

    jcm-6.1.jar
•    jcmFIPS-6.1.jar


With, AppAgentv4.7 SP1- (Compatible FIPS Version  - Server v6.1.4)
•    cryptoj-5.0.jar
•    cryptojFIPS-5.0.jar

With, AppAgentv4.7 – (No FIPS)
•    jsafe.jar
•    jsafeJCE.jar
•    rsajsse.jar
•    sslj.jar
QUESTION   IF one wanted to use WLS in fips mode with the TAI   would FIPS have to be enabled on the aserver as well?
Yes, if there are FIPS jars on the WAS then the same should be enabled on server as well.
Again, we need to ensure the same version of Bsafe jars are present on both Agent and Server.
NotesMay be a related error:
015-02-04 08:06:54 -0500 - [10784] - <Critical> - Error creating Runtime API connection: request to axmqaas.geisinger.edu:5608 failed [CT_REPLY_PARSE_ERROR]
There was a similar issue with WebAgents. Refer - CTAG-4965
Not sure, it could be a compatibility issue.
===============================================================
The install and configuration Guide for appserver agents 5.0 and 5.0 SP1 have incorrect installation instructions.
It specifies for you to installs both the jcm and jcmFIPS jars.  This is incorrect.  You either install one or theother depending if you want FIPS.
This is the INCORRECT Text, notice the jcm and jcmFIPS. Only one shoudl be present.

1. Place the following .jar files in your WASBASE/lib/ext directory:
axm-admin-api-6.2.1.jar
axm-runtime-api-6.2.1.jar
axm-appagent-common-5.1.jar
axm-was-agent-api-5.0.1.jar
axm-was-agent-portal-api-5.0.1.jar
aspectjrt-1.7.3.jar
cryptojce-6.1.jar
cryptojcommon-6.1.jar
CSP-3.1.jar
CSPJNI-3.1.jar
jcm-6.1.jar
jcmFIPS-6.1.jar

LB-3.1.jar
LBJNI-3.1.jar
• log4j-1.2.17.jar



 

Attachments

    Outcomes