000026188 - Error message "unable to contact directory server. LDAP_Replace failed!" in RSA Certificate Manager

Document created by RSA Customer Support Employee on Feb 9, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026188
Applies ToRSA Product Set: Certificate Manager, Registration Manager
RSA Version/Condition: 6.7, 6.8, 6.9
Platform: Microsoft Internet Explorer 6.0 SP2
IssueThe error below shows on the browser when an RSA Certificate Manager (RCM) administrator attempts to approve an RSA Registration Manager's (RRM's) request for access to an additional jurisdiction, through RCM administrative interface -> Administrator Operations workbench -> RM Jurisdictions -> request-active.
Program Error
LDAP_Query: [XrcXUDAUNABLE] unable to contact directory server. LDAP_Replace failed! objectclass (rainfo), dn (ramd5=<md5_of_RRM_admin.cert>)

After receiving the above error on the browser, the RRM request does not show on RCM under request-active or request-approved options of RCM administrative interface -> Administrator Operations workbench -> RM Jurisdictions.
After receiving the above error on RCM, the jurisdiction to which a request was made from RRM is still listed under disabled jurisdictions (RRM administrative interface -> Administrator Operations workbench -> Jurisdictions -> disabled option) and it can not be removed from the list (as there's no checkbox against it).
CauseThe RCM LDAP ACLs either does not have the following rule or if it exists, there's a typo in the md5 of the admin.cert in the rule (this rule must be placed after the rule for access to filter="objectclass=gid"): 
[Note that the value 333888813334444666667777 shown in the rule below is an assumed md5 value for admin.cert and would be different for each RCM installation.]
#access to RAINFO
access to filter="objectclass=RAinfo"
        by dn="md5=333888813334444666667777" write
        by dn=".*" read
RSA Certificate Manager 6.9 Administrator's Guide, pages 372-373, incorrectly instructs to add Registration Manager's admin.cert MD5 to RAinfo rule.  Instead, RSA Certificate Manager's admin.cert MD5 should be added to RAinfo rule.

ResolutionAdd an LDAP ACL as shown above (with the correct md5), or update the rule with correct md5 of RCM's admin.cert. This admin.cert is found at the RCM under \RSA_CM\Webserver\ssl\certs.
Additionally, RSA Registration Manager must be updated as listed below to allow another request for the jurisdiction that is in the disabled list on RRM but does not show up on RCM due to the problem described above:
  1. On RRM, go to listuclass utility:  https://<RRM-host>:444/ra/admin/listuclass.xuda
  2. Click List against xuda_domain_config
  3. Click Edit against the first object listed on the page
  4. If the value for attribute RM_DISABLED is not set to 'true', click Back on the browser to go to the previous pages listing all xuda_domain_config objects and check the next object.
  5. If the value for attribute RM_DISABLED is set to 'true', click 'DELETE Object' button to delete the xuda_domain_config object.
  6. Close the browser.
  7. Now make a new request for the jurisdiction through RRM Administrator Operations workbench -> Jurisdictions -> available option.
Legacy Article IDa39032