This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA® Access Manager Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by RSA Access Manager experts.

RSA Access Manager elects two master keyservers

Article Number

000029151

Applies To

RSA Product Set: ClearTrust
RSA Product/Service Type: Access Manager
RSA Version/Condition: 5.5.3 EOPS Reached
Platform: Windows
Platform (Other): null
O/S Version: 2003 Server
Product Name: RSA-0010020
Product Description: Access Manager

Issue

Customers are unexpectedly directed to the logon page during an SSO session

The RSA Access Manager aserver.log (or lserver.log) logs a larger than normal number of the following log events.  These occur more on some aservers than others.

sequence_number=356,2011-06-03 14:36:58:616 EDT,messageID=1031,client_ip_address=10.10.10.10,client_port=1914,result_code=0,result_action=User Token Failed,result_reason=Token error
 

The RSA Access Manager dispatcher.log (lserver.log) shows the following log messages:
sequence_number=255,2012-08-30 04:04:49:85 BST,messageID=0,event_type=Error,description=Error handling client connection,error=java.lang.OutOfMemoryError
sequence_number=256,2012-08-30 04:04:55:22 BST,messageID=0,event_type=Error,description=Unknown error,error=java.lang.OutOfMemoryError
sequence_number=17,2014-11-29 15:50:15:556 GMT,messageID=-2,event_type=Internal Error,internal_error=java.io.EOFException
sequence_number=18,2014-11-29 15:50:19:540 GMT,messageID=-2,event_type=Internal Error,internal_error=java.net.SocketException: Connection reset
 

Cause

These errors in the dispatcher.log indicate that the dispacher JVM is unable to open any new sockets due to a resource limitation on the physical machine.  The keyserver must be able to open new sockets on port 5609 to conduct keyserver elections.  If the keyserver is unable to reach any of the other keyservers because it cannot open new sockets to conduct an election, it will assume that it is the only keyserver and it will elect itself as a master keyserver.   Even though it cannot contact the other keyservers for elections (this requires a new socket) the keyserver may still generate keys and these may be provided to clients that request them.  This can lead to a variety of errors.

Resolution

Identify the reason for the resource limitation on the machine hosting the disptacher.  Restart the machine to free up resources.
 

If this issue occurs frequently there may be a socket leak (typically against another application) on the same machine that is using all the resources.

Upgrade to a 64 bit JVM and add memory.  This issue is rarely seen on modern systems. 

0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-13 08:20 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.