search cancel

In-place Autosys upgrade R12.1 installer creates 1024 bit cert for eem and fails with CAUAJM_E_112121 error

book

Article ID: 258268

calendar_today

Updated On:

Products

CA Workload Automation AE

Issue/Introduction

In-place upgrade Autosys R12.1 installer creates 1024 bit cert for eem and fails with CAUAJM_E_112121 error, while all EEM certificates are already 2048 bit. 

Error:
[CAUAJM_E_112121] An error occurred while authenticating the CA EEM server
with the certificate-based authentication.
The CA EEM certificate is configured with a certificate of length 1024.
AutoSys requires a key length of 2048 or higher. Therefore, modify the CA EEM
server certificate and re-launch the AutoSys installer..

Env:

Upgrading to 12.1 on Linux

Validated the checksum of 12.1 linux  iso and confirmed that it was fine as per the documentation.

MD5: 4fa00a67a966189a5424355b4939cc13

Problem:

Thee EEM keysize is reported as 1024 by installler

2023-01-03 18:06:16,337 [main] DEBUG com.ca.wla.ae.installer.eem.EEMUtils(171) - EmbIAMProvider - About to authenticate With certificates
2023-01-03 18:06:16,386 [main] DEBUG com.ca.wla.ae.installer.eem.EEMUtils(173) - EmbIAMProvider - Authenticated With certificates
2023-01-03 18:06:16,387 [main] DEBUG com.ca.wla.ae.installer.eem.AeEEMUtils(98) - Retain for future use
2023-01-03 18:06:16,388 [main] DEBUG com.ca.wla.ae.installer.eem.EEMUtils(272) - checkEemVersion() - Begin
2023-01-03 18:06:16,389 [main] DEBUG com.ca.wla.ae.installer.eem.EEMUtils(274) - Check EEM Version
2023-01-03 18:06:16,390 [main] DEBUG com.ca.wla.ae.installer.eem.EEMUtils(217) - Is attached=false
2023-01-03 18:06:16,392 [main] DEBUG com.ca.wla.ae.installer.eem.EEMUtils(231) - Creating a new attach with applicationName=null
2023-01-03 18:06:16,392 [main] DEBUG com.ca.wla.ae.installer.eem.EEMUtils(232) - [email protected]
2023-01-03 18:06:16,405 [main] WARN  com.ca.wla.ae.installer.eem.EEMUtils(245) - Encountered AssertionError: org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: Attempt to use RSA key with non-approved size: 1024: RSA

autosys_secure shows the following servers as EEM

CAUAJM_I_60228 CA EEM server:  XXXXXX1111.ABC.COM,YYYYYYYYY22222.ABC.COM

CAUAJM_I_60342 Unauthenticated user mode: OFF

Followed the knowledge article   Upgrade the keysize of EEM certificates   and found that keysize on EEM was 2048.

The temp.key created by the installer inn /temp is shown as 1024.

 $ openssl x509 -in temp.key -text -noout | grep "Public-Key";                 Public-Key: (1024 bit)

Environment

Release : 12.1

Resolution

The random number generation was slow

Installed rngd on both the scheduler servers and EEM servers

In the EEM server, iAuthority.iTechSDK.xml in the iTechnology folder was owned by the root while all the other files were owned by autosys.

Since the igateway was running as autosys it could not access the  iAuthority.iTechSDK.xml and used the default values to create the certificate.

After Changing the ownership of $IGW_LOC/iAuthority.iTechSDK.xml to autosys:autosys and restarting the gateway the  temp.key was created with 2048 key length