When upgrading AutoSys Workload Automation (e.g., from version 12 to 12.1.01) in a High Availability (HA) environment, the upgrade process may complete with the following warning on both the Primary and Shadow servers:

[CAUAJM_W_119012] Unable to configure the CA EEM security for the "CMD" instance. Execute the "autosys_secure -regencert -host "<EEM_Hosts>" -p "*****" -secadmu EiamAdmin" command to configure the instance security.

After running the suggested autosys_secure -regencert command on the primary scheduler, it returns successfully:

AutoSys Security Utility
CAUAJM_I_60200 CA EEM certificate generated successfully.
CAUAJM_W_60190 The CA EEM server location remains unchanged.

Administrators may wonder if this same command needs to be executed on the Shadow server as well.

Yes, the autosys_secure -regencert command must be run on the Shadow server, as well as any Tie-Breaker server if one is configured.

In an AutoSys HA environment, each Scheduler and Application Server instance must possess its own valid CA EEM certificate to securely communicate and authenticate with the EEM servers. The autosys_secure -regencert command generates these certificate files and stores them locally on the file system of the machine where the command is executed.

Executing the command on the Shadow server ensures that if a failover occurs, or when users and client utilities connect to the Shadow's application server, the instance has the correct local certificates to successfully authenticate with EEM.

1. Log in to the Primary server and execute the exact command provided in the warning: autosys_secure -regencert -host "<EEM_Hostnames>" -p "<password>" -secadmu EiamAdmin
2. Verify the output indicates success (CAUAJM_I_60200).
3. Log in to the Shadow server (and Tie-Breaker, if applicable) and execute the exact same command.
4. Verify the output indicates success on the secondary servers.