AA (Advanced Authentication) login flow fails with the error below in the arcotafm.log file.

"Fetching OTP for user (user,org)=SDK Internal error"

The AA database is found restarting while AFM has requested a fetch operation for the OTP credential from the same AA database. 
Please note that restarting AFM post ensuring that AA database restart has completed, then this error is no longer printed in the arcotafm.log.

Below is an excerpt of  log footprints of the transaction for which this error occurred.

2022-03-03 11:00:35,151 [WebContainer : 0] INFO  tasks.lifecycle.CreateOTPTask(23) [] -> Instantiated CreateOTPTask with enableReissueOTP : true
2022-03-03 11:00:35,151 [WebContainer : 0] INFO  integrations.frontend.LifeCycleStateData(729) [] -> Flow type:secAuth |20220303020031.766.1e3d3bb9
2022-03-03 11:00:35,152 [WebContainer : 0] INFO  api.impl.TxnMarker(31) [] -> Txn-Begin : OP=fetch | CTxID=_AQ9U_8_227
2022-03-03 11:00:35,154 [WebContainer : 0] INFO  api.impl.TxnMarker(45) [] ->  Txn-End : OP=fetch | CTxID=_AQ9U_8_227 | STxID=SDKEXCEPTION | RC=2 | REC=0 | TOT=2 | SRT=2 | TGC=3 | TRC=0 | TWR=0 | TRD=4 | TCR=2 | RTC=0 | NCA=0 | NCB=1
2022-03-03 11:00:35,155 [WebContainer : 0] ERROR integrations.frontend.LifeCycleStateData(721) [] -> Fetching OTP for user (<user>,<org>)=SDK Internal error. |20220303020031.766.1e3d3bb9

Release : 9.1.x

Component : CA Strong Authentication/CA Risk Authentication

AA database is not fully up when AFM submitted a fetch operation for OTP credential against the AA database. Essentially, connection to CA Risk Authentication server and CA Strong Authentication server fails as underlying database is not up or still restarting.

SDK Internal error occurs when the ArcotAFM application cannot not connect to either CA Risk Authentication server or CA Strong Authentication server.  Please note that the ArcotAFM application is nothing but a SDK implementation of the CA Risk Authentication server and CA Strong Authentication server and these two servers need to be up and running before AFM is started so that AFM can send requests to them.

ArcotAFM application reaches out to CA Strong Authentication and CA Risk Authentication server for any Credential Validation Operation (like OTP credential) or  Risk Evaluation Operation, and if either of these two servers are not responding to ArcotAFM then SDK internal error is reported in the arcotafm.log. 

In this case, it was observed that database was restarting so this error was reported. Additionally, ArcotAFM does not directly talk to database and it only interacts with the CA Risk Authentication server and CA Strong Authentication server and CA Risk Authentication server and CA Strong Authentication servers directly talk to AA database to complete the Credential validation or Risk evaluation requests.

If issue still persists please follow the KB article to stop/start the services and that will address the issue.

https://knowledge.broadcom.com/external/article?articleId=212917

Start/Stop sequence for Advanced Authentication components