When trying to run a DR test by bringing down the primary EEM server, we are unable to switch to the secondary EEM server via autosys_secure in order to regenerate certificates. 

CA WAAE Security Utility 

CAUAJM_E_60204 The instance is running under CA EEM security control but CA EEM is not available. 

Do you wish to regenerate the CA EEM certificate and attempt to reconnect? [1(yes)/0(no)]: 1 

CAUAJM_I_60150 Attempting to regenerate the CA EEM certificate and reconnect to the CA EEM server. 

Input the CA EEM server name(s) (or hit enter to cancel): new_eem_server

CAUAJM_E_60152 You must specify the CA EEM server names previously used to enable external security. 

CAUAJM_E_60199 Unable to generate the CA EEM certificate. See previous error messages for details. 

CAUAJM_E_60203 Program aborting due to an invalid security environment.

Workload Automation AE 

When you have EEM in a failover/multiwrite cluster but only specify one EEM server in autosys_secure, certificates are generated for only that server. If there is an EEM failover, Autosys will not permit you to update the EEM server definition because the primary EEM server will not relinquish control over this function.

1. Start up the primary EEM server so you can regenerate certificates under autosys_secure 

2. When you regenerate the certificates, specify both EEM servers configured in your failover/multiwrite cluster 

Next time you shutdown the primary EEM server for DR testing, you will have full access to autosys_secure.