000022670 - RSA Access Manager: How to increase RSA ClearTrust 5.5 Entitlements Server (EServer) timeout value to avoid errors when listing large numbers of User Groups

Document created by RSA Customer Support Employee on Apr 6, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000022670
Applies ToRSA Product Set: Access Manager 
RSA Product/Service Type: RSA ClearTrust 5.5 Entitlements Server (EServer)

BEA WebLogic 8.1 SP2


BEA WebLogic Portal Server
RSA ClearTrust Agent 3.5.2 for BEA WebLogic 8.1 SP2
IssueHow to increase RSA ClearTrust 5.5 Entitlements Server (EServer) timeout value to avoid errors when listing large numbers of User Groups
Unable to list user or groups in the BEA WebLogic Admin Console or BEA WebLogic Portal Admin Console
EServer debug output shows a Broken Pipe Message:

15:52:14:927 [*] [APIClientProxy_1] - Return code is 0 no exception
java.net.SocketException: Broken pipe
 ....
 at sirrus.api.server.APIClientProxy.run(APIClientProxy.java:839)
15:52:14:946 [*] [APIClientProxy_1] - Return code is 5 msg is java.net.SocketException: Broken pipe
15:52:14:947 [*] [APIClientProxy_1] - Command duration is 21933 milliseconds
EServer log file shows the following error message:

sequence_number=78,2006-02-17 15:52:14:951 EST,conn=1,op=3,messageID=908,ip=10.50.5.74,uname=weblogic,msg=Get groups by range,result=5,etime=21933ms,exception=java.net.SocketException: Broken pipe,start=0,end=2147483647
BEA WebLogic Console output shows the following exception:

<Feb 17, 2006 3:52:58 PM EST> <Error> <HTTP> <BEA-101020> <[ServletContext(id=17490623,name=CleartrustTestAdmin,context-path=/CleartrustTestAdmin)] Servlet failed with Exception
com.bea.p13n.usermgmt.UserManagementException: com.bea.p13n.usermgmt.UserManagementException: Cannot build AtnTree for provider ClearTrustAuthenticator because....
CauseThis error may occur if the number of RSA ClearTrust user groups or user objects in the datastore is large and/or the datastore performance is slow. The error occurs when the result from a query to the datastore exceeds the default timeout of 15 seconds for the connection between the ClearTrust Agent and the EServer. The Agent times out and drops the socket and this results in the EServer being unable to return the result.
ResolutionIncrease the timeout value for the EServer until the query returns without error. The appropriate value depends on the number of objects in the datastore and the datastore response time. This value should be greater than the "Command duration" listed in the server debug output statement for the query that generates the exception.

In the release version of RSA ClearTrust Agent 3.5.2 for BEA WebLogic, the EServer timeout value is 15 seconds and is not user configurable.

Hot fix 3.5.2.04 addresses this issue by adding a new cleartrust_realm.properties file parameter called cleartrust.agent.entitlements_server_timeout= that allows you to increase this value. Contact RSA Security Customer Support to obtain hotfix 3.5.2.04. Then, make the changes to the cleartrust_realm.properties file as recommended in the hotfix Readme file.
Legacy Article IDa29754

Attachments

    Outcomes