"HTTP response error! Response code=401" when starting RSA Identity Governance and Lifecycle Access Fulfillment Express (AFX) Server
Originally Published: 2017-02-02
Article Number
Applies To
RSA Version/Condition: 7.0.1, 7.0.0, 6.9.1
Application Server: Websphere
Issue
$ service afx_server start
[... output trimmed ...]
Waiting for AFX applications to start...
Waiting for AFX applications to start...
WARNING!! Timed out waiting for AFX applications to start. Please check AFX application log files for detailed status information.
done
$
The AFX log files located in $AFX_HOME/esb/logs contain the following errors:
- In the mule_ee.log:
ERROR 2017-02-02 13:30:16,084 [WrapperListener_start_runner] org.mule.module.launcher.DefaultArchiveDeployer:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Failed to deploy artifact '10_AFX-INIT', see below +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
org.mule.module.launcher.DeploymentInitException: Exception: HTTP response error! Response code=401 ; Reason:
RSA Identity Governance and Lifecycle server was unable to authorize initialization request. This usually indicates that the AFX SSL certificate and/or ID currently configured for this installation do not match with records in the RSA Identity Governance and Lifecycle database. You may encounter this problem in the following scenarios:
*****
1.) The AFX SSL certificate was regenerated using the RSA Identity Governance and Lifecycle application but the AFX installation was not updated with keystore containing the new certificate. In this case, please update the AFX installation with latest keystore available for download from RSA Identity Governance and Lifecycle application.
*****
2.) RSA Identity Governance and Lifecycle certificate store has been changed but neither the RSA Identity Governance and Lifecycle server nor AFX installations have been updated with respective keystore containing new certificate and CA entries. In this case, please update both the RSA Identity Governance and Lifecycle server and AFX installations with latest respective keystore available for download in the RSA Identity Governance and Lifecycle application.
*****
3.) RSA Identity Governance and Lifecycle database was refreshed / restored using a backup that was generated on another environment (e.g., backup of Production system database was restored on the QA system database). In this case, additional steps are required to get the SSL certificate configuration in the database in sync with what's deployed on the RSA Identity Governance and Lifecycle & AFX server machine(s). Please change the RSA Identity Governance and Lifecycle certificate store and then update both the RSA Identity Governance and Lifecycle server and AFX installations with latest respective keystore available for download in the RSA Identity Governance and Lifecycle application.
*****
at org.mule.module.launcher.application.DefaultMuleApplication.init(DefaultMuleApplication.java:196)
at org.mule.module.launcher.artifact.ArtifactWrapper$2.execute(ArtifactWrapper.java:62)
at org.mule.module.launcher.artifact.ArtifactWrapper.executeWithinArtifactClassLoader(ArtifactWrapper.java:129)Cause
Resolution
- Login to the WebSphere Admin Console.
- Click Security > SSL certificate and key management > SSL configurations.
- Select the associated Aveksa SSL configuration.
- Under Additional Properties, select Quality of protection (QoP) settings.
- Under Client authentication, select Required.
- Click OK to save the changes.
- Restart the WebSphere.
- Restart AFX.
