ACF2 Multi factor Authentication (CA AAM) failure

book

Article ID: 129446

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction

Attempting to relate network error that may be impacting CA AAM functionality.

Curious what the following messages represent.
Are they just an indication MFASTC is polling for work, or is it an indication that MFASTC is communicating with the RSA Server.

These are the message sequence observed:

- ThreadID:31 -- Entering getInstance() for NewPINLookupTable...
- ThreadID:31 -- Leaving getInstance() for NewPINLookupTable...
- ThreadID:31 -- Entering cleanExpiredEntries() for NewPINLookupTable...
- ThreadID:31 -- cleanExpiredEntries() finished... 0 entries removed...
: 81 - ThreadID:31 -- Scheduled cleanup of expired NewPINLookupTableEntries complete...
: 73 - ThreadID:31 -- Performing scheduled cleanup of expired NextTokenLookupTableEntries
: 74 - ThreadID:31 -- at UTC time = 1552303455000 in milliseconds...

Notice these messages repeat for hours after the system has been ipled and the MFASTC task has been started. However, when the first user tries to logon using RSA validation they get the following:

hreadID:57 -- Entering processFirstAttempt()...
hreadID:57 -- Entering createRSAUserSession()...
hreadID:57 -- Creating User Session for userID = C20827
hreadID:57 -- Error with creating User Session on RSA Server: com.rsa.ace.techservice.udpserver.a: ServerExchange error:
java.net.BindException: EDC8116I Address not available. (Bind failed)

A restart of the AAM STC appears to correct any error that was generated.
 

Environment

CA ACF2 16.0
z/OS 2.2
CA AAM

Resolution

The 'new' pin messages are just informational. AAM is checking a table that is internally maintain, that's related to new pin processing.
One can set the trace level lower in the logback.xml file if one needs to limit these messages.
e.g.  <root level="INFO">
Note: AAM only connects to the RSA server during a logon. The MFASTC does not maintain a persistent connection to the RSA server.