- RSA Identity Governance & Lifecycle 7.2.1
- RSA Identity Governance & Lifecycle 7.5.0
- SecurID Governance & Lifecycle 7.5.2
RSA Remote Agent shows as status "Is Running=Yes" but all Collectors for this Agent are failing.
The Remote Agent's aveksaAgent.log file shows the following INFO level log messages with a warning:
05/20/2020 13:34:46.468 INFO (ApplyChangesRegularThread-3) [com.aveksa.client.datacollector.framework.DataCollectorManager] WARNING: Hostname is not matched for session.
The aveksaAgent.log file shows a variety of other ERROR level messages related to the failure of the collectors to load JAVA classes:
05/20/2020 13:34:46.733 ERROR (ApplyChangesRegularThread-3) [com.aveksa.server.agent.message.ExceptionMessage]
com.aveksa.common.ConfigException: Please ensure that all required classes are there in following urls:
[https://{acm host}:8444/aveksa/DBIdentityCollector/, https://{acm host}:8444/aveksa/DBIdentityCollector1/classes/]
Testing a collector fails with a NullPointerException. The aveksaAgent.log file shows an ERROR level log message related to the test:
05/20/2020 13:34:46.819 ERROR (ApplyChangesRegularThread-3) [com.aveksa.client.datacollector.framework.DataCollectorManager] FAILED method=Collect CollectionMetaInfo[{ID=1, run_id=381, collector_id=3, test-run=true, collector_name=IDC}]
com.aveksa.common.ConfigException: java.lang.NullPointerException
There are no errors in the aveksaServer.log file and normal INFO level log messages indicate the remote agent is running:
05/20/2020 13:34:24.320 INFO (default task-42) [com.aveksa.server.agent.core.AveksaAgent] Contact initiated from agent: OnPremise Integration Agent.Version: 2.0, Agent Runtime Data{dataTimestamp='1589981664320', hostname='{agent}', internalIp='10.10.10.10', externalIp='10.10.10.10', javaInstanceId='8692@{agent}', agentStartTime='1589981617657'}
The issue only occurs if the JAVA version on the SecurID Governance & Lifecycle application server has been upgraded to 1.8.0_191 or higher.
JAVA 1.8.0_191 introduced additional checks for TLS/SSL communication that requires verifying the hostname of the server against the DNS names configured in Subject Alternative Name (SAN) extension of the server certificate. Certificates generated on older versions of SecurID Governance & Lifecycle may not have the required attributes.
This issue is commonly seen when SecurID Governance & Lifecycle application server is hosted on AWS platform but may occur for any type of deployment where proxies obfuscate the hostname that is resolved for DNS checks.
Note that the Remote Agent, as a client, initiates an HTTPS connection to the SecurID Governance & Lifecycle application server over port 8444 (in a default configuration), as a server.
This issue is resolved in the following versions, where a custom setting DomainNames can be used to specify additional comma separated hostnames or aliases which are then added, as DNS Names, to the Subject Alternative Name (SAN) extension of a regenerated server certificate for SecurID Governance & Lifecycle application server (port 8444):
- RSA Identity Governance & Lifecycle 7.2.1 P03
- RSA Identity Governance & Lifecycle 7.5.0
- SecurID Governance & Lifecycle 7.5.2
Note that the DNS names added to the SAN extension of the SecurID Governance & Lifecyle's server certificate (for port 8444) must match exactly with the hostname that the Remote Agent uses to contact the server. The Remote Agent's configuration file <RemoteAgent-install-dir>/conf/config.properties lists the URL it uses to contact the server in a parameter server_url. You must ensure that the hostname in the server URL used by the Remote Agent must match with one of the DNS names in the SecurID Governance & Lifecycle application server certificate's SAN extension.
This is particularly important for SecurID Governance & Lifecycle deployments on AWS or other deployments with a proxy server where the hostname of SecurID Governance & Lifecycle's server instance is different for external clients (Remote Agent and Remote AFX) than it is for internal connections. It is also important for clustered deployments where the individual nodes have different hostnames than the front end load balancer.
In these instances, you must ensure that correct hostname(s) are added to the SAN certificate extension using the custom system parameter "DomainNames" as per instructions in the SecurID Governance & Lifecycle 7.5.2 Installation Guide, section "Using Domain Name for Certificate Validation".
Refer to the following article when generating new server certificate for SecurID Governance & Lifecycle: How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle
Related Articles
RSA SecurID Authentication Engine 2.6 for Java Developer's Guide Number of Views How to change the date format from MM/DD/YY to DD/MM/YY on RSA Identity Governance & Lifecycle 6.9.1 and 7.0.0 Number of Views Cancelling a change made in a review redirects to a null page or a request could not be handled error in RSA Identity Gove… Number of Views RSA SecurID Authentication Engine 2.8 for Java Developer Guide Number of Views RSA Governance & Lifecycle Recipes: Overview - Daily User Changes Number of Views
Trending Articles
Artifacts to gather in RSA Identity Governance & Lifecycle Oracle 12c TEMP_UNDO_ENABLED parameter for managing GTT UNDO activity in RSA Identity Governance & Lifecycle RSA announces the availability of the RSA SecurID Hardware Appliance 230 based on the Dell PowerEdge R240 Server RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
