RSA Remote Agent shows as status "Is Running=Yes" but all Collectors for this Agent are failing.
The Remote Agent's aveksaAgent.log file shows the following INFO level log messages with a warning:
05/20/2020 13:34:46.468 INFO (ApplyChangesRegularThread-3) [com.aveksa.client.datacollector.framework.DataCollectorManager] WARNING: Hostname is not matched for session.
The aveksaAgent.log file shows a variety of other ERROR level messages related to the failure of the collectors to load JAVA classes:
05/20/2020 13:34:46.733 ERROR (ApplyChangesRegularThread-3) [com.aveksa.server.agent.message.ExceptionMessage] com.aveksa.common.ConfigException: Please ensure that all required classes are there in following urls: [https://{acm host}:8444/aveksa/DBIdentityCollector/, https://{acm host}:8444/aveksa/DBIdentityCollector1/classes/]
Testing a collector fails with a NullPointerException. The aveksaAgent.log file shows an ERROR level log message related to the test:
05/20/2020 13:34:46.819 ERROR (ApplyChangesRegularThread-3) [com.aveksa.client.datacollector.framework.DataCollectorManager] FAILED method=Collect CollectionMetaInfo[{ID=1, run_id=381, collector_id=3, test-run=true, collector_name=IDC}] com.aveksa.common.ConfigException: java.lang.NullPointerException
There are no errors in the aveksaServer.log file and normal INFO level log messages indicate the remote agent is running:
05/20/2020 13:34:24.320 INFO (default task-42) [com.aveksa.server.agent.core.AveksaAgent] Contact initiated from agent: OnPremise Integration Agent.Version: 2.0, Agent Runtime Data{dataTimestamp='1589981664320', hostname='{agent}', internalIp='10.10.10.10', externalIp='10.10.10.10', javaInstanceId='8692@{agent}', agentStartTime='1589981617657'}
This issue is resolved in the following versions, where a custom setting DomainNames can be used to specify additional comma separated hostnames or aliases which are then added, as DNS Names, to the Subject Alternative Name (SAN) extension of a regenerated server certificate for SecurID Governance & Lifecycle application server (port 8444):
Note that the DNS names added to the SAN extension of the SecurID Governance & Lifecyle's server certificate (for port 8444) must match exactly with the hostname that the Remote Agent uses to contact the server. The Remote Agent's configuration file <RemoteAgent-install-dir>/conf/config.properties lists the URL it uses to contact the server in a parameter server_url. You must ensure that the hostname in the server URL used by the Remote Agent must match with one of the DNS names in the SecurID Governance & Lifecycle application server certificate's SAN extension.
This is particularly important for SecurID Governance & Lifecycle deployments on AWS or other deployments with a proxy server where the hostname of SecurID Governance & Lifecycle's server instance is different for external clients (Remote Agent and Remote AFX) than it is for internal connections. It is also important for clustered deployments where the individual nodes have different hostnames than the front end load balancer.
In these instances, you must ensure that correct hostname(s) are added to the SAN certificate extension using the custom system parameter "DomainNames" as per instructions in the SecurID Governance & Lifecycle 7.5.2 Installation Guide, section "Using Domain Name for Certificate Validation".
Refer to the following article when generating new server certificate for SecurID Governance & Lifecycle: How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle