Dynamic seed provisioning fails after replica promotion
2 years ago
Originally Published: 2020-09-21
Article Number
000042502
Applies To
RSA Product Set: RSA SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4.0
Platform: null
Platform (Other): null
O/S Version: null
Product Name: null
Product Description: null
Issue
A promotion for maintenance has been preformed. Afterwards if you try to distribute tokens through CT-kip the newly promoted primary contacts the old primary to preform the import and fails to import if the old primary's services are not running. In the /opt/rsa/am/server/logs/imsConsoleTrace.log you will find this error if the old primary is not reachable 
[[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'], (EJBRemoteTarget.java:316), trace.com.rsa.command.EJBRemoteTargetBase, ERROR, amprimary.example.com,,,,Unable to connect to downgraded EJB/2.1 command server.Failed to initialize JNDI context, tried 2 time or times totally, the interval of each time is 0ms.
t3s://amprimary.example.com:7022: Destination X.X.X.X, 7022 unreachable.; nested exception is:
        java.net.ConnectException: Connection refused (Connection refused); No available router to destination.; nested exception is:
        java.rmi.ConnectException: No available router to destination.

 [[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'], (CtkipMessageProcessorBindingImpl.java:74), trace.authmgr.internal.ctkip.ws.CtkipMessageProcessorBindingImpl, ERROR, amprimary.example.com,,,,The CT-KIP Web Service failed to process a client request. com.rsa.common.SystemException: Failed to connect with command server
Cause
In the /opt/rsa/am/util/resources/ims.properties there is a property that controls who handles Ctkip requests called ims.ssl.client.primary.provider.url that is set to the old primary and should be set to the current primary 
Resolution
To fix this  
1-SSH to the primary appliance 
2-cd /opt/rsa/am/utils/resources

Take a backup of the current file 
3-cp ims.properties ims.properties.backup
  
4- vim ims.properites

Check if the ims.ssl.client.primary.provider.url is set to the current primary if not change the value to be equal to the current primary like this  
ims.ssl.client.primary.provider.url=t3s\://am83p.vcloud.local\:7022
Afterward restart all services  
5-/opt/rsa/am/server/rsaserv restart all
Ctkip should function correctly now and be served form the current primary 

 
Don't see what you're looking for?