000035501 - Unable to open any workflow on RSA Identity Governance & Lifecycle 7.0.2 or 7.1.0 when deployed in a clustered environment or on an application server with custom access ports

Document created by RSA Customer Support Employee on Mar 3, 2018Last modified by RSA Customer Support Employee on Dec 26, 2018
Version 23Show Document
  • View in full screen mode

Article Content

Article Number000035501
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.2, 7.1.0
Platform: WildFly, WebSphere, WebLogic
An attempt to open the Workflow Editor in RSA Identity Governance & Lifecycle 7.0.2 or 7.1.0 fails with any of the following errors:
Could not connect to HTTP invoker remote service at
[http://localhost:9080/wpServices/ServerConfigService]; nested exception is
java.net.ConnectException: Connection refused


WebSphere error

Could not access HTTP invoker remote service at [http://node1:9080/wpServices
/ServerConfigService]; nested exception is java.net.UnknownHostException: server1


User-added image

CauseThis a known issue under "Known Issues and Limitations" in the RSA Identity Governance & Lifecycle 7.0.2 Release Notes under ID ACM-72065 as well as the standard RSA Identity Governance & Lifecycle 7.1 documentation.

This error can occur in more than one case:
  1. When using a clustered environment where the application server nodes listen only on the hostname/IP address of the server but not on localhost. This is most common in Wildfly clusters but might also happen on WebSphere and WebLogic according to your application server configuration.
  2. When the application server listen port has been changed in the application server settings to anything other than the default ports. Below is a table of the default expected console port for each Application Server type.

Application ServerDefault Port
ResolutionThis problem is fixed in 7.0.2 P05 and 7.1.0 as the new aveksaWFArchitect.ear file has built in JVM parameters ${wp-client-hostname} and ${wp-client-hostport} that can be used to specify the hostname and ports of each node. As of 7.1.1 we can leverage an additional parameter, ${wp-client-protocol}.

Note: The values provided for the parameters ${wp-client-hostname}, ${wp-client-hostport}, and ${wp-client-protocol} do not have to be reachable from the end users' browsers. They have to be reachable locally from where the aveksaWFArchiect.ear is deployed to where the aveksa.ear is deployed, which in most cases is the same server.

To resolve this issue follow the steps below:
  1. If you are on 7.0.2, apply 7.0.2 P05+ or upgrade to 7.1.0.  
  2. If you cannot apply 7.0.2 P05+ or upgrade to 7.1.0, first follow the steps under the Workaround section before proceeding further.
  3. Follow one of the steps below, per your application server to set up these JVM parameters.



      1. Login as the oracle user via SSH to a server that hosts the Identity Governance & Lifecycle WildFly application (in case of cluster environments, you need to do this for each server).
      2. Edit one of the following files as per you setup:
        • Standalone environment: /home/oracle/wildfly/bin/standalone.conf
        • Clustered environment: /home/oracle/wildfly/bin/domain.conf
      3. Add the following line to the very end of the file:

        JAVA_OPTS="$JAVA_OPTS -Dwp-client-hostname=<Your Identity Governance & Lifecycleinternal server hostname> -Dwp-client-hostport=<Your internal Identity Governance & Lifecycle server HTTP port> "
           (7.1.1 only) additionally, you can add:




      1. In the WebSphere console, to select the server, click Servers > Server types > WebSphere application servers and select the server.
      2. Choose the server used for RSA Identity Governance & Lifecycle.
      3. Under the Configuration tab, select Server Infrastructure > Java and Process Management > Process Definition.
      4. Under Additional Properties, select Java Virtual Machine.
      5. Enter the following under Generic JVM Arguments:

-Dwp-client-hostname=<Your internal RSA Identity Governance & Lifecycle server hostname>
-Dwp-client-hostport=<Your internal RSA Identity Governance & Lifecycle server HTTP port>
(7.1.1+) -Dwp-client-protocol

  1. Save to the master configuration.

  • WebLogic

    Use one of the following methods to set JVM arguments.

    Note: If you use custom scripts to start the WebLogic application server, these methods might not map to your environment. Consult the WebLogic administrator on how the JVM  settings are set for your environment.

    1. Editing the WebLogic Domain startup environment script. This method is typically used on a standalone system and is required if you are deploying RSA Identity Governance & Lifecycle using the AdminServer instance.
      1. Edit the setDomainEnv.sh file for the domain in which you will be deployed RSA Identity Governance & Lifecycle. For example, from $WEBLOGIC_HOME/user_projects/domains/<domain_name>/bin.
      2. Add the following settings near the beginning of the setDomainEnv script, where WL_HOME is set.

        JAVA_OPTIONS="$JAVA_OPTIONS -Dwp-client-hostname=<Your RSA Identity Governance & Lifecycle internal server hostname> -Dwp-client-hostport=<Your internal RSA Identity Governance & Lifecycle server HTTP port> "
           export JAVA_OPTIONS
           JAVA_OPTIONS="$JAVA_OPTIONS -Dwp-client-hostname=<Your RSA Identity Governance & Lifecycle internal server hostname> -Dwp-client-hostport=<Your internal RSA Identity Governance & Lifecycle server HTTP port> -Dwp-client-protocol=<protocol>"
           export JAVA_OPTIONS

    2. Specifying JVM arguments within the Admin Console for a server instance. This method is typically used when your servers are managed by NodeManager.
      1. Log on to the WebLogic console.
      2. Click Environment > Servers and select the server.
      3. On the Configuration tab, click the Server Start tab.
      4. In the Arguments field, add:

-Dwp-client-hostname=<Your internal Identity Governance & Lifecycle server hostname>
-Dwp-client-hostport=<Your internal
Identity Governance & Lifecycle server HTTP port>
(7.1.1+) -Dwp-client-protocol

  1. After completing the JVM settings described above, restart the WebLogic application server.
WorkaroundOn any 7.0.2 patch before P05, you would first need to edit the aveksaWFArchitect.ear file and modify the default URLs to the add the above JVM parameters, then deploy the newly modified aveksaWFArchitect.ear file on your application server.
  1. You can do the following steps on any machine on which the Java Development Kit 1.7 (JDK 1.7) is installed, and also on which you correctly configured the PATH environmental variables.  Use the Java Tutorial on CLASS and CLASS PATH for reference. The below example uses Windows.
  2. Use any application (for example, 7Zip) to extract the RSA Identity Governance & Lifecycle software/patch .tar file to any directory; A directory named Packages is used for the following example.

User-added image

  1. Create a working directory, new_ear, for example.
  2. Copy the aveksaWFArchitect.ear file from the extracted tar directory in step 2 to the new_ear directory.
  3. Create two temporary directories under new_ear.  For example, ear_dir and jar_dir.

User-added image

  1. Open the Windows command prompt (cmd.exe).
  2. Use the following commands  to unzip the aveksaWFArchitect.ear in the temporary ear directory named ear_dir:

    cd ear_dir
    jar -xvf ..\aveksaWFArchitect.ear

    User-added image
  3. Use the following commands in the command prompt to unzip <ear_dir>\APP-INF\lib\acmConfig.jar in the temporary jar directory named jar_dir:

    cd ..\jar_dir
    jar -xvf ..\ear_dir\APP-INF\lib\acmConfig.jar

    User-added image
  4. Use any text editor (preferably Notepad++) to modify the property values for serverContextPath and client.connect.URL in the properties file <jar_dir>\workpoint-client.properties as follows:

serverContextPath = http://${wp-client-hostname}:${wp-client-hostport}/wpServices
client.connect.URL = http://${wp-client-hostname}:${wp-client-hostport}/wpServices/xml

  1. Save the changes to workpoint-client.properties, and close the file.
  2. Use the following commands in the command prompt to rebuild the modified acmConfig.ear:

    cd jar_dir
    jar uvfm ..\ear_dir\APP-INF\lib\acmConfig.jar META-INF\MANIFEST.MF *

    User-added image
  3. Use the following commands in the command prompt to rebuild the modified aveksaWFArchitect.ear:

    cd ..\ear_dir
    jar uvfm ..\aveksaWFArchitect.ear META-INF\MANIFEST.MF *

    User-added image
  4. The aveksaWFArchitect.ear in the new_ear directory now has been updated with the changes. You can now follow the steps in the RSA Identity Governance & Lifecycle 7.0.2 Installation Guide specific to your application server, RSA Identity Governance & Lifecycle 7.0.2 - Configuring WildFly Clustering or contact RSA Support to deploy the new aveksaWFArchitect.ear file.
  5. Follow the above steps under Resolution to set the values of the newly added JVM parameters.

You will need to perform the above edits to the new aveksaWFArchitect.ear file every time you apply a new patch or upgrade to a version of 7.0.2 that does not yet have a fix.