Authentication Manager rsaserv Fails with "log4j:ERROR Could not read configuration file"
14 hours ago
Originally Published: 2015-04-13
Article Number
000060948
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue

When running the rsaserv command on an RSA Authentication Manager server, the command produces a log4j error instead of returning the expected service status.

Observable symptoms:

 

  • Running the following command ./rsaserv status  from /opt/rsa/am/server produces the following error: 
log4j:ERROR Could not read configuration file [test/resources/log4j.properties].
java.io.FileNotFoundException: test/resources/log4j.properties (No such file or directory)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:120)
at java.io.FileInputStream.<init>(FileInputStream.java:79)
Cause

The log4j.properties file in /opt/rsa/am/utils/etc/rsaserv/ has been permanently lost because the log4j logging system was overwhelmed and failed to recreate it — causing rsaserv to throw a FileNotFoundException every time it is run.

Each time rsaserv is executed, a temporary copy of log4j.properties is created in /opt/rsa/am/utils/etc/rsaserv/ and then removed. This commonly happens when an automated monitoring tool is configured to run rsaserv status too frequently — for example, every minute. The log4j logging system is not designed to handle this rate of activity, and under sustained high-frequency execution, it eventually fails to recreate the file. Once the file is permanently missing, RSA service status logs stop being generated entirely.

Resolution

Resolution Path 1: Replica Server Is Available

 

  1. Log in to the replica Authentication Manager server via SSH as rsaadmin.
  2. Copy the log4j.properties file to the primary server: 
    scp /opt/rsa/am/utils/etc/rsaserv/log4j.properties rsaadmin@<primary-server-hostname>:/opt/rsa/am/utils/etc/rsaserv/
  3. Log in to the primary server via SSH as rsaadmin.
  4. Verify the file was copied successfully: 
    ls -l /opt/rsa/am/utils/etc/rsaserv/log4j.properties
  5. Confirm the file ownership and permissions match the expected values:
    -rw-r--r-- 1 rsaadmin rsaadmin

     

    If the ownership or permissions differ, correct them: 
    chown rsaadmin:rsaadmin /opt/rsa/am/utils/etc/rsaserv/log4j.properties
    chmod 644 /opt/rsa/am/utils/etc/rsaserv/log4j.properties

Verification: Run the rsaserv command again and confirm the log4j:ERROR no longer appears:

 

 

Resolution Path 2: No Replica Server Available

 

  1. Contact RSA Customer Support and request a copy of the log4j.properties file for your Authentication Manager version.
  2. Once received, place the file in /opt/rsa/am/utils/etc/rsaserv/ on the primary server.
  3. Verify file ownership and permissions as described in Steps 4–5 of Resolution Path 1 above.

 

Verification: Run the rsaserv command again and confirm the log4j:ERROR no longer appears:


NOTE: Resolving this error only restores the missing file. To prevent the issue from recurring, you must also reduce the frequency of your monitoring tool's rsaserv polling interval — see the Workaround section below.

Notes
  • Monitoring Tool Polling Frequency — Prevention Recommendation: Automated monitoring tools should not run an authenticated SSH session every minute to execute the following command:
/opt/rsa/am/server/rsaserv status
  • A polling frequency of 5 minutes or more is recommended for all rsaserv status commands. This issue has been observed in environments using tools such as WhatsUpGold configured to poll at 1-minute intervals — reducing the frequency prevents the log4j logging system from being overwhelmed and stops the log4j.properties file from being permanently lost.