search cancel

CA Advanced Authentication Mainframe server timeout

book

Article ID: 202897

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC LDAP SERVER FOR Z/OS PAM CLIENT FOR LINUX ON MAINFRAME WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

User logs on using RSA token, if the 1st server is not reachable, we're seeing a 5 sec time-out followed by 4 retries, so 20secs in all before it moves on to the next server in the list.
If the next server is also not reachable we only seeing a 1 sec timeout with no retries before it moves on to the next server.


Does this have anything to do with the MAINARGS DD, /usr/maastc    5?

We've also noticed this behaviour happens for every logon which implies it's not remembering the status of the servers.
We have SDSTATUS_LOC=/usr/maastc/JAStatus1.1. Is this not used to remember the RSA server status so it doesn't repeat the 20sec delay mentioned above?

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

The behavior you are seeing is consistent with the MAINARGS. It is looking for the path where rsa_api.properties is located and the number of consecutive signon failures that must occur before CA Advanced Authentication Mainframe checks if all RSA servers are down. The time in between tries is defined int he sdconf.rec file created by the RSA administrators, under maximum time between each retry as per settings in Agents > Generate Configuration File.

SDSTATUS_LOC is the location of the file that will be generated for authentication attempts. From what I can tell in RSA documentation they maintain a list of available servers and prefer to use the fastest responding ones. However, that would be a question for RSA to respond to.