|Applies To||RSA Product Set: ClearTrust|
RSA Product/Service Type: Access Manager
RSA Version/Condition: 6.2
RSA Product/Service Type: Access Manager TAI for WebSphere 8.5
RSA Version/Condition: 5.0 SP1
|Issue||Symptom on RSA Access Manager server side:|
Servers fail to start or connect to webagents.
SSL errros , Encrytion errors on startup.
Symptoms on WebSphere with TAI:
WebSphere may not start , cannot connect.
If correct jars in place , when enabling FIPS on WebSPhere Console TAI cannot connect to dispatcher/asservers.
|Cause||Several causes , the presence of two conflicting jars in the install/classpath for both server side and TAI issues.|
In TAI enabling Websphere FIPS conflicts with Access Manager aserver dispatcher.
|Resolution||Resolution in a Question and Answer format.|
QUESTION: jcm-6.1.jar and jcmFIPS-6.1.jar should not be in this directory at the same time should it? Its either one or the other for FIPS support or not.
Yes, either jcm-6.1 or jcmFIPS-6.1 jar should be present. Not both.
In the TAI, once we retrieve the username from the cookie/header we create a runtimeAPI to validate the details.
QUESTION what were the old 6.1 .0 jars and the current. Which replaced which?
With WAS v6.1, we supported only v4.7 Agents. There was no FIPS support in them.
We introduced FIPS in v4.7 SP1. Refer below -
With, AppAgentv5.0 and v5.0SP1 the following Bsafe jars were packaged- (Compatible FIPS Version - Server v6.2/v6.2.1)
With, AppAgentv4.7 SP1- (Compatible FIPS Version - Server v6.1.4)
With, AppAgentv4.7 – (No FIPS)
QUESTION IF one wanted to use WLS in fips mode with the TAI would FIPS have to be enabled on the aserver as well?
Yes, if there are FIPS jars on the WAS then the same should be enabled on server as well.
Again, we need to ensure the same version of Bsafe jars are present on both Agent and Server.
|Notes||May be a related error:|
015-02-04 08:06:54 -0500 -  - <Critical> - Error creating Runtime API connection: request to axmqaas.geisinger.edu:5608 failed [CT_REPLY_PARSE_ERROR]
There was a similar issue with WebAgents. Refer - CTAG-4965
Not sure, it could be a compatibility issue.
The install and configuration Guide for appserver agents 5.0 and 5.0 SP1 have incorrect installation instructions.
It specifies for you to installs both the jcm and jcmFIPS jars. This is incorrect. You either install one or theother depending if you want FIPS.
This is the INCORRECT Text, notice the jcm and jcmFIPS. Only one shoudl be present.
1. Place the following .jar files in your WASBASE/lib/ext directory: