ACF2 Multi factor Authentication (CA AAM) failure
Article ID: 129446
Updated On:
Products
CA ACF2
CA ACF2 - DB2 Option
CA ACF2 for zVM
CA ACF2 - z/OS
CA ACF2 - MISC
Issue/Introduction
Attempting to relate network error that may be impacting CA AAM functionality.
Curious what the following messages represent.
Are they just an indication MFASTC is polling for work, or is it an indication that MFASTC is communicating with the RSA Server.
These are the message sequence observed:
- ThreadID:31 -- Entering getInstance() for NewPINLookupTable...
- ThreadID:31 -- Leaving getInstance() for NewPINLookupTable...
- ThreadID:31 -- Entering cleanExpiredEntries() for NewPINLookupTable...
- ThreadID:31 -- cleanExpiredEntries() finished... 0 entries removed...
: 81 - ThreadID:31 -- Scheduled cleanup of expired NewPINLookupTableEntries complete...
: 73 - ThreadID:31 -- Performing scheduled cleanup of expired NextTokenLookupTableEntries
: 74 - ThreadID:31 -- at UTC time = 1552303455000 in milliseconds...
Notice these messages repeat for hours after the system has been ipled and the MFASTC task has been started. However, when the first user tries to logon using RSA validation they get the following:
hreadID:57 -- Entering processFirstAttempt()...
hreadID:57 -- Entering createRSAUserSession()...
hreadID:57 -- Creating User Session for userID = C20827
hreadID:57 -- Error with creating User Session on RSA Server: com.rsa.ace.techservice.udpserver.a: ServerExchange error:
java.net.BindException: EDC8116I Address not available. (Bind failed)
A restart of the AAM STC appears to correct any error that was generated.
Curious what the following messages represent.
Are they just an indication MFASTC is polling for work, or is it an indication that MFASTC is communicating with the RSA Server.
These are the message sequence observed:
- ThreadID:31 -- Entering getInstance() for NewPINLookupTable...
- ThreadID:31 -- Leaving getInstance() for NewPINLookupTable...
- ThreadID:31 -- Entering cleanExpiredEntries() for NewPINLookupTable...
- ThreadID:31 -- cleanExpiredEntries() finished... 0 entries removed...
: 81 - ThreadID:31 -- Scheduled cleanup of expired NewPINLookupTableEntries complete...
: 73 - ThreadID:31 -- Performing scheduled cleanup of expired NextTokenLookupTableEntries
: 74 - ThreadID:31 -- at UTC time = 1552303455000 in milliseconds...
Notice these messages repeat for hours after the system has been ipled and the MFASTC task has been started. However, when the first user tries to logon using RSA validation they get the following:
hreadID:57 -- Entering processFirstAttempt()...
hreadID:57 -- Entering createRSAUserSession()...
hreadID:57 -- Creating User Session for userID = C20827
hreadID:57 -- Error with creating User Session on RSA Server: com.rsa.ace.techservice.udpserver.a: ServerExchange error:
java.net.BindException: EDC8116I Address not available. (Bind failed)
A restart of the AAM STC appears to correct any error that was generated.
Environment
CA ACF2 16.0
z/OS 2.2
CA AAM
z/OS 2.2
CA AAM
Resolution
The 'new' pin messages are just informational. AAM is checking a table that is internally maintain, that's related to new pin processing.
One can set the trace level lower in the logback.xml file if one needs to limit these messages.
e.g. <root level="INFO">
Note: AAM only connects to the RSA server during a logon. The MFASTC does not maintain a persistent connection to the RSA server.
One can set the trace level lower in the logback.xml file if one needs to limit these messages.
e.g. <root level="INFO">
Note: AAM only connects to the RSA server during a logon. The MFASTC does not maintain a persistent connection to the RSA server.
Feedback
Powered by
