Remote AFX Server does not start, there is a SocketException in esb.AFX_INIT.log, and OpenSSL cannot complete an SSL Handshake in RSA Identity Governance & Lifecycle
Originally Published: 2020-08-14
Article Number
Applies To
RSA Version/Condition: 7.0.x, 7.1.x, 7.2.0
Issue
SYMPTOMS:
- The following message is logged to the $AFX_HOME/esb.AFX_INIT.log file.
2020-08-05 15:56:34.877 [ERROR] com.aveksa.afx.server.init.SubmitInitializationRequestComponent:156 -
Error submitting initialization request to RSA Identity Governance and Lifecycle server!
2020-08-05 15:56:34.878 [ERROR] com.aveksa.afx.server.init.ServerInitializationComponent:79 -
Server initialization failed!
Please correct the issue and restart AFX. org.mule.api.transport.DispatchException:
Failed to route event via endpoint:
DefaultOutboundEndpoint{endpointUri=https://server.domain.com:8444/aveksa/afx/initialization ...
Caused by: java.net.SocketException: Connection reset
- The following message is logged to the $AFX_HOME/esb.AFX-MAIN.log file:
2020-08-05 15:56:35.812 [ERROR] org.mule.module.launcher.application.DefaultMuleApplication:361 - null
java.lang.IllegalArgumentException: Could not resolve placeholder 'afx.server.activemq.password'
in string value "${afx.server.activemq.password}"
- Ping and telnet show that RSA Identity Governance & Lifecycle is reachable from the remote AFX Server and is listening on port 8444.
- If openssl is used to test the SSL bind on port 8444, the connection appears to succeed but no handshake is completed.
>openssl s_client -connect acm-702.vcloud.local:8444 CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 289 bytes
Cause
This connection failure is similar to other SSL connection issues between AFX and RSA Identity Governance & Lifecycle except there are no additional details about the reasons for the SSL failure. The certificates may be correct but the SSL connection is being abandoned before the SSL handshake can be completed. The only failure is the SocketException.
A packet capture on the remote AFX Server will show that the SSL Client Hello is being sent to RSA Identity Governance & Lifecycle but the TCP transmission is being terminated by an RST packet inserted into the network stream.
1 2020-08-07 10:20:11.892861 10.10.10.1 56036 10.10.10.10 8444 TCP 76 56036 → 8444 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1845193795 TSecr=0 WS=512
2 2020-08-07 10:20:11.893467 10.10.10.10 8444 10.10.10.1 56036 TCP 68 8444 → 56036 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=512
3 2020-08-07 10:20:11.893484 10.10.10.1 56036 10.10.10.10 8444 TCP 56 56036 → 8444 [ACK] Seq=1 Ack=1 Win=29696 Len=0
4 2020-08-07 10:20:11.897759 10.10.10.1 56036 10.10.10.10 8444 TLSv1 303 Client Hello
5 2020-08-07 10:20:11.898108 10.10.10.10 8444 10.10.10.1 56036 TCP 62 8444 → 56036 [RST, ACK] Seq=1 Ack=248 Win=29696 Len=0
A packet capture on the RSA Identity Governance & Lifecycle server will show that the SSL Client Hello message did not reach the AFX Server and that the TCP transmission was terminated by an RST packet that was inserted into the network stream.
100 2020-08-07 11:04:54.437776 10.10.10.1 56870 10.10.10.10 8444 TCP 76 56870 → 8444 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=512
102 2020-08-07 11:04:54.438132 10.10.10.1 56870 10.10.10.10 8444 TCP 62 56870 → 8444 [ACK] Seq=1 Ack=1 Win=29696 Len=0
103 2020-08-07 11:04:54.442732 10.10.10.1 56870 10.10.10.10 8444 TCP 62 56870 → 8444 [RST, ACK] Seq=1 Ack=1 Win=29696 Len=0
Resolution
Related Articles
Failing to access Identity Router IDR Web resource after IDR v2.17 update Number of Views Monitor Uptime Status for Cloud Access Service Number of Views RSA Authentication Manager CVE-2016-0800 "DROWN" Vulnerability - False Positive Number of Views MFA stopped working after TLS 1.2 Cloud enforcement in SecurId Access Number of Views Authentication Manager 8.8 update breaks TLS connections; TLS Handshake error no cipher suites in common Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
