RCM CRL not being generated automatically per crl timer configuration
2 years ago
Originally Published: 2011-02-01
Article Number
000043768
Applies To
RSA Certificate Manager 6.8
RSA Certificate Manager 6.8 HA
Microsoft Windows Server 2003 SP2
ADAM High Availability
Certificate Revocation List (CRL)
Issue
RCM CRL not being generated automatically per crl timer configuration

From the trace.log, observed the following error in various places:

2011/01/03 13:32:20 ldap 1556 2884 D:\RCM\CERTMGR-3837\strong-sentry\ldap\ldap-3.3-hodges\servers\slapd\crltimer.c:4016 Automatic complete CRL generation Failed.
 

If RCM is configured with an external LDAP (i.e., only one instance of RCM), crl timers are disabled by default. To use crl timers, please follow the steps in "Using Revocation List Timers with HighAvailability" section on page 212 of RSACertificateManagerAdministratorsGuide.

In "High Availability Configuration - Revocation List Generators" configuration, we can configure values for primary instance and Health check period even if secondary is not configured for HA.

Cause
Problem in configuring HostName (FQDN) and Secure Directory server secure port in Revocation List Timers - High Availability. Configured Details are Primary HostName:rcm1.acme.com Port:636.
Resolution
For RCM CRL H/A configuration, in most scenarios using FQDN for the primary host works fine.  However, depending on the host machine's network configuration, RCM might detect the hostname to be a FQDN or a short hostname.

In this situation, using short hostname (i.e., rcm1), instead of the FQDN, as the primary HostName resolved the issue.
Notes
Refer to article Revocation List Timers - High Availability not working for a tool that can help find out the hostname string that RCM would come up with during startup.

Related Articles

Trending Articles

Don't see what you're looking for?