On the secondary EEM servers, when eiam-clustersetup.jar -p <primary> is run, it errors out during the sync portion:
[Authenticate Error: Authentication Failed, Identity Attempted: EiamAdmin]
com.ca.eiam.SafeException: EE_SPONSORERROR iSponsor Error
at com.ca.eiam.SafeContext.authenticateWithPassword(SafeContext.java:1683)
at com.ca.eiam.clustersetup.FailoverUtility.fetchServerConfiguration(FailoverUtility.java:31)
at com.ca.eiam.clustersetup.FailoverConfigurator.startSecondaryFailoverConfiguration(FailoverConfigurator.java:921)
at com.ca.eiam.clustersetup.FailoverConfigurator.performAction(FailoverConfigurator.java:380)
at com.ca.eiam.clustersetup.FailoverConfigurator.commandPrompt(FailoverConfigurator.java:356)
at com.ca.eiam.clustersetup.FailoverConfigurator.main(FailoverConfigurator.java:106)
Release : 12.x
TLS 1.2 with strong ciphers was enforced in igateway.conf.
The Java call that was using EEM SDK to run eiam-clustersetup, that was trying older TLS (1.0/1.1) to connect to the igateway, which was getting denied.
1) As a workaround, remove the TLSv1_2 and -ALL:HIGH:MEDIUM:!RC4 from the igateway.conf (see bolded below that we removed)
<secureProtocol>TLSv1_2</secureProtocol>
<cipherlist>-ALL:HIGH:MEDIUM:!RC4</cipherlist>
(https://knowledge.broadcom.com/external/article?articleId=74517)
2) Save the file, bounced iGateway
3) Complete the eiam-clustersetup now, make sure the HA setup now completes fine.
4) You can also do some basic EEM HA test too (add policy on one server, shows up on 2nd, delete it on 2nd, gets deleted on 1st)
5) enable TLSv1_2 and strong ciphers in igateway.conf back (https://knowledge.broadcom.com/external/article?articleId=74517)
8) Restart igateway, verify EEM is still good