000035603 - How to install and reinstall the Access Fulfillment Express (AFX) server on an RSA Identity Governance & Lifecycle hardware or software appliance

Document created by RSA Customer Support Employee on Oct 9, 2017Last modified by RSA Customer Support Employee on Sep 7, 2018
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000035603
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 7.0.1, 7.0.2, 7.1
IssueThis article is a step by step instruction on how to install and reinstall the Access Fulfillment  Express (AFX) server on an RSA Identity Governance & Lifecycle hardware or software appliance.

The information below assumes the afxuser is the oracle user. A separate afxuser can be created. See the RSA Identity Governance & Lifecycle Installation Guide for more information.

These are the steps for installing or reinstalling the AFX server component on an RSA Identity Governance & Lifecycle appliance using the AFXServer.zip generated from the Administrative console:

  1. Login to the RSA Governance & Lifecycle Administration Interface (for exmaample, https://rsa-access.yourcompany.com/aveksa/main).
  2. Download the AFXServer.zip from the UI under AFXServers > AFX ServerDownload Server Archive.
  3. Download server.keystore from the UI under Admin > System > Security  > Download 'Server Certificate Store for Agent SSL Connections.
  4. Transfer the AFXServer.zip and server.keystore from your PC to the RSA Identity Governance & Lifecycle appliance using a tool like WinSCP or another SFTP client and place the files under /tmp.
  5. Change to the root user.

sudo su -

  1. Shutdown AFX, if it exists, and check that no AFX processes remain.

cd /home/oracle
service afx_server stop
ps -ef | grep AFX

  1. Kill any remaining AFX processes, where xxxx are any AFX processes still running:

kill -9 xxxx

  1. Backup the pre-existing AFX directory, if it exists.

mv AFX AFX.old

  1. Unpack the AFXServer.zip, change file and  group ownership:

unzip /tmp/AFXServer.zip
chown -R oracle:oinstall AFX

  1. Navigate to AFX/bin and run the script to set permissions:

cd AFX/bin
sh ./setPerms.sh

  1. Create symbolic link to from afx_server to /etc/init.d/afx_server, if it does not exist:

ln -s afx_server /etc/init.d/afx_server

  1. Activate the system service.

chkconfig afx_server on

  1. Configure the AFX environment:  
  2. Edit /home/oracle/AFX/bin/setAFXEnv.sh and set the AFX home directory variable for AFX_HOME to AFX_HOME=/home/oracle/AFX:

cp /home/oracle/AFX/bin/setAFXEnv.sh /home/oracle
cp /home/oracle/AFX/bin/setAFXEnv.sh /root
chown oracle:oinstall /home/oracle/setAFXEnv.sh

  1. Edit the .bash_profile under /root and /home/oracle and add (if it does not exist).  This will source the script of variables at each login.  Note the leading dot in the command.

. ./setAFXEnv.sh

  1. Start AFX:

cd /home/oracle
service afx_server start

  1. A quick and easy check to ensure that your AFX environment variables are set correctly can be determined by running the following command as the oracle user:

env | grep AFX

  1. Start AFX as the oracle user

service afx_server start

If you are re-installing AFX after having re-installed RSA Governance & Lifecycle, or after importing a database from a different environment, the server.keystore in the file-system may not match what is within the database.  You can use keytool to view the fingerprint for the aveksa_ca signing certificate, and if what was downloaded from the UI differs from what exists in the file, then replace the keystore and restart the application:

keytool -list -alias aveksa_ca -storepass Av3k5a15num83r0n3 -keystore /tmp/server.keystore
keytool -list -alias aveksa_ca -storepass Av3k5a15num83r0n3 -keystore /home/oracle/keystore/server.keystore

If the certificate fingerprint matches from both keystores, you do not need to perform the following steps:

cd /home/oracle/keystore
mv server.keystore server.
cp /tmp/server.keystore .
chown oracle:oinstall server.keystore
acm restart
service afx_server restart