The information below assumes the afxuser is the oracle user. A separate afxuser can be created. See the RSA Identity Governance & Lifecycle Installation Guide for more information.
These are the steps for installing or reinstalling the AFX server component on an RSA Identity Governance & Lifecycle appliance using the AFXServer.zip generated from the Administrative console:
- Login to the RSA Governance & Lifecycle Administration Interface (for exmaample, https://rsa-access.yourcompany.com/aveksa/main).
- Download the AFXServer.zip from the UI under AFX > Servers > AFX Server > Download Server Archive.
- Download server.keystore from the UI under Admin > System > Security > Download 'Server Certificate Store for Agent SSL Connections.
- Transfer the AFXServer.zip and server.keystore from your PC to the RSA Identity Governance & Lifecycle appliance using a tool like WinSCP or another SFTP client and place the files under /tmp.
- Change to the root user.
sudo su -
- Shutdown AFX, if it exists, and check that no AFX processes remain.
service afx_server stop
ps -ef | grep AFX
- Kill any remaining AFX processes, where xxxx are any AFX processes still running:
kill -9 xxxx
- Backup the pre-existing AFX directory, if it exists.
mv AFX AFX.old
- Unpack the AFXServer.zip, change file and group ownership:
chown -R oracle:oinstall AFX
- Navigate to AFX/bin and run the script to set permissions:
- Create symbolic link to from afx_server to /etc/init.d/afx_server, if it does not exist:
ln -s afx_server /etc/init.d/afx_server
- Activate the system service.
chkconfig afx_server on
- Configure the AFX environment:
- Edit /home/oracle/AFX/bin/setAFXEnv.sh and set the AFX home directory variable for AFX_HOME to AFX_HOME=/home/oracle/AFX:
cp /home/oracle/AFX/bin/setAFXEnv.sh /home/oracle
cp /home/oracle/AFX/bin/setAFXEnv.sh /root
chown oracle:oinstall /home/oracle/setAFXEnv.sh
- Edit the .bash_profile under /root and /home/oracle and add (if it does not exist). This will source the script of variables at each login. Note the leading dot in the command.
- Start AFX:
service afx_server start
- A quick and easy check to ensure that your AFX environment variables are set correctly can be determined by running the following command as the oracle user:
env | grep AFX
- Start AFX as the oracle user
service afx_server start
If you are re-installing AFX after having re-installed RSA Governance & Lifecycle, or after importing a database from a different environment, the server.keystore in the file-system may not match what is within the database. You can use keytool to view the fingerprint for the aveksa_ca signing certificate, and if what was downloaded from the UI differs from what exists in the file, then replace the keystore and restart the application:
keytool -list -alias aveksa_ca -storepass Av3k5a15num83r0n3 -keystore /tmp/server.keystore
keytool -list -alias aveksa_ca -storepass Av3k5a15num83r0n3 -keystore /home/oracle/keystore/server.keystore
If the certificate fingerprint matches from both keystores, you do not need to perform the following steps:
mv server.keystore server.keystore.bak
cp /tmp/server.keystore .
chown oracle:oinstall server.keystore
service afx_server restart