RCM CRL not being generated automatically per crl timer configuration

2 years ago

Originally Published: 2011-02-01

Article Number

000043768

Applies To

RSA Certificate Manager 6.8
RSA Certificate Manager 6.8 HA
Microsoft Windows Server 2003 SP2
ADAM High Availability
Certificate Revocation List (CRL)

Issue

RCM CRL not being generated automatically per crl timer configuration

From the trace.log, observed the following error in various places:

2011/01/03 13:32:20 ldap 1556 2884 D:\RCM\CERTMGR-3837\strong-sentry\ldap\ldap-3.3-hodges\servers\slapd\crltimer.c:4016 Automatic complete CRL generation Failed.

If RCM is configured with an external LDAP (i.e., only one instance of RCM), crl timers are disabled by default. To use crl timers, please follow the steps in "Using Revocation List Timers with HighAvailability" section on page 212 of RSACertificateManagerAdministratorsGuide.

In "High Availability Configuration - Revocation List Generators" configuration, we can configure values for primary instance and Health check period even if secondary is not configured for HA.

Cause

Problem in configuring HostName (FQDN) and Secure Directory server secure port in Revocation List Timers - High Availability. Configured Details are Primary HostName:rcm1.acme.com Port:636.

Resolution

For RCM CRL H/A configuration, in most scenarios using FQDN for the primary host works fine. However, depending on the host machine's network configuration, RCM might detect the hostname to be a FQDN or a short hostname.

In this situation, using short hostname (i.e., rcm1), instead of the FQDN, as the primary HostName resolved the issue.

Notes

Refer to article Revocation List Timers - High Availability not working for a tool that can help find out the hostname string that RCM would come up with during startup.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles