Article Content
Article Number | 000019033 |
Applies To | RSA ACE/Agent 5.0 API UNIX (AIX, HP-UX, Solaris) Microsoft Windows NT 4.0 Microsoft Windows 2000 SD_LOCK |
Issue | How to use name locking with RSA ACE/Agent 5.0 API The sync2.c example code provided with RSA ACE/Agent 5.0 API is used to demonstrate name locking and Server fail over. The example is put into a continuous loop broken only by an error condition, which then results in SD_Close being called. When a name lock is established the user gets ACCESS DENIED even though there are available ACE/Server Replicas to authenticate against. The next authentication works correctly. |
Cause | When the SD_Lock function is called from the API, the Agent will use a status file to see which servers are available for authentication. Once it has chosen a server from this list it sends out a name lock to prevent any other server in the ACE/Server domain from authenticating this user. However, if the chosen server is down SD_Lock will return a status of ACM_ACCESS_DENIED. |
Resolution | The server status information used by RSA ACE/Agent 5.0 is not updated until the API handle is closed. For the API to perform a successful name lock on a live server, an SD_Close and SD_Init need to be performed to allow SD_Lock to find a new server. The status file created is %SystemRoot%\System32\sdstatus.12 on Windows NT/2000 systems and $VAR_ACE/sdstatus.12 on UNIX systems. The following is an example of how a name lock can be establish to a valid server using the sync2.c example program: int acmRet = 0; // ACM return status //... acmRet = SD_Lock(SdiHandle, username); if (acmRet != ACM_OK) { // The name lock failed. The chosen Server must be down. // Now to update this information to status.12 file // and continue with the authentication. // First close the API handle. SD_Close(SdiHandle); // Now re-open the handle for a new session. acmRet = SD_Init(&SdiHandle); if (acmRet != ACM_OK) { printf("Cannot communicate with the ACE/Server.\n"); return 1; } // As this is a new session the SD_Lock function will do a new search // for available servers, updating the status file and ensuring no other // down'ed servers are chosen. // If this SD_Lock fails then there are no available ACE/Servers! acmRet = SD_Lock(SdiHandle, username); if (acmRet != ACM_OK) { printf("Access denied. Unable to locate a valid ACE/Server.\n"); return 1; } } |
Legacy Article ID | a5496 |