General Troubleshooting
This section provides troubleshooting information for in general:
aa9
This section provides troubleshooting information for
Advanced Authentication
in general:Installation Logs and Debugging
Problem:
I face issues with the bootstrapping and the start of service despite successful Advanced Authentication
Installation. Is my installation successful?Solution:
You can verify the installation success by checking the following installation summary in the installer log file available at ARCOT_HOME.
(For Risk Authentication, CA_Risk_Authentication_Install_DATE_TIME and for Strong Authentication, CA_Strong_Authentication_Install_DATE_TIME). For example,
Summary ------- Installation: Successful. <count> Successes 0 Warnings 0 NonFatalErrors 0 FatalErrors
This message confirms the successful installation.
For more debugging, check the following sections in the log file.
====================STDERR ENTRIES================== ====================STDOUT ENTRIES==================
When you do not face any issues such as bootstrapping or start of services, ignore the exceptions in the STDOUT and STDERR entries in the installer log file.
Reports and Licensing for CA Strong Authentication
Problem:
How do I count the used licenses from CA Strong Authentication when we have 2 or more Organizations into CA Strong Authentication?
Solution:
CA Strong Authentication does not have Licensing capability inbuilt in the product. To get the number of licenses, run the query against the database and find out the required information.
When the user base is in database (Oracle or SQL Server), run the following query:
select count(*) USERID from ARUDSUSER;
When the user base is external repository like LDAP or AD, run the queries against the Credentials table to know the total enrolled users for CA Strong Authentication. Run any of the queries based on the credentials you use from the CA Strong Authentication solution.
Number of users who have been issued a QNA credential:
select count(*) USERID from ARUDSUSER where USERREFID in (SELECT USERREFID from ARWFQNA) and ORGNAME in (SELECT ORGNAME from ARWFQNA);
Number of users who have been issued a CA Auth ID credential:
select count(*) USERID from ARUDSUSER where USERREFID in (SELECT USERREFID from ARWFARCOTID) and ORGNAME in (SELECT ORGNAME from ARWFARCOTID);
Number of users who have been issued a CA Mobile OTP credential:
select count(*) USERID from ARUDSUSER where USERREFID in (SELECT USERREFID from ARWFARCOTOTP) and ORGNAME in (SELECT ORGNAME from ARWFARCOTOTP);
ArcotAccessKeyprovider
is not available with the Advanced Authentication
9.0 Installers. Problem:
I do not see the ArcotAccessKeyprovider
file with the Advanced Authentication
9.0 Installers.Solution:
As part of
Advanced Authentication
64-bit server support, the product does not provide a 32-bit version of ArcotAccessKeyprovider.
This change is applicable for both CA Strong Authentication and CA Risk Authentication components.SWEET32 Vulnerability
Problem:
How do I fix the SWEET32 vulnerability?Solution:
This error occurs due to 3DES weak cipher. You can fix this issue by disabling 3DES weak ciphers in application server for OpenSSL 1.0.2l.
500 internal server error
Problem:
I get the following error while performing Import operations in Admin Console:"500 internal server error"
Solution:
This error occurs due to application server session timeout. Perform the following steps for resolution.
- Navigate to the web.xml from arcotadmin folder. For example,(For Tomcat)~\apache-tomcat-8.0.30\webapps\arcotadmin\WEB-INF\web.xml(For WebLogic)C:\Oracle\Middleware\Oracle_Home\user_projects\....\rcotadmin\...\war\WEB-INF
- Look for the session information in web.xml file.<session-config> <session-timeout>5</session-timeout> </session-config>
- Extend the session timeout as required based on the import operation time.
Network Operation Timed Out When Restarting the Service
Problem:
CA Strong Authentication startup fails with 'Network Operation Timed Out' when restarting the service after installation.
Solution:
This behavior occurs when DB login is timed-out. Change the login timeout to the value (ODBC Connectivity Screen) based on the network latency between the database and the server.
Database Connection Error After Restart
Problem:
When I restart the system which has Risk or Strong Servers and the database on the same system, I get the following error:
Connection to database [<dsnname>]. user [<dbuser>] failed
Solution:
Ensure the database services are up before you start
Advanced Authentication
services. If the DB services are not up, perform the following steps:- Start the database services manually.
- Start theAdvanced Authenticationservices.
ODBC Administrator Tool Displays the 32-bit DSNs in a 64-bit Version of Windows
Problem:
I see the 32-bit DSNs in a 64-bit version of Windows. Solution:
This behavior is a known issue. The 64-bit version of the ODBC Administrator tool displays 64-bit system DSNs, 32-bit user DSNs, and 64-bit user DSNs. The user DSNs are stored under the following registry subkey:
HKEY_CURRENT_USER\Software\ODBC\ODBC.INI
As the Registry redirection is not enabled for this registry subkey, the user DSNs are visible in both 32-bit and 64-bit versions of ODBC Administrator tool. For more information about this issue, see Microsoft documentation.
When I upgrade my 8.x server instances, I am not able to use the complete range of 2^31-1 Txn IDs
Symptom:
When I upgrade CA Strong Authentication server 8.x instances, I am not able to use the complete range of 2^31-1 Txn IDs.
Solution:
To use complete range of 2^31-1 Txn IDs, perform the following steps manually.
- After upgrading the server from 8.x to latest version, start and then stop CA Strong Authentication server once.
- Navigate to the ARWFSEQUENCE table and verify that a new sequence ARWFINSTANCETXNIDSEQ is created. The INSTANCENAME value includes the machine instance where the server was upgraded.
- Remove the existing transaction log data from the following Audit Log tables and archive the data for the upgraded instance.
- ARWFISSUANCEAUDITLOG
- ARWFAUTHAUDITLOG
- ARWFADMINAUDITLOG
- ARWFSVRMGMTAUDITLOG
- Reset the ARWFINSTANCETXNIDSEQ sequence to the default values.UPDATE ARWFSEQUENCE SET STARTINGVALUE = 1, INCREMENTVALUE = 500, USEDVALUE = 1 WHERE SEQUENCENAME = 'ARWFINSTANCETXNIDSEQ' and INSTANCENAME='$INSTANCENAME' $INSTANCENAME corresponds to the machine instance where the server was upgraded.
- Start CA Strong Authentication server.
Refresh Cache Issue with Master Master Replication
Problem:
I configure two Strong Authentication servers; SA Server A pointing to DB Server A and SA Server B pointing to DB Server B. DB Server A and DB Server B are running under Master Master replication.
I create an LDAP org on Strong Authentication Server A and refresh cache using the admin console. When I access a user of the newly created LDAP org from SA Server B, I get the "Organization was not found" error.
Symptom
This behavior is due to a refresh cache issue with UDS on Strong Authentication Server B. Although LDAP org is replicated between DB Server A and DB Server B, the Refresh Cache operation refreshes only the cache for SA Server A UDS. This step does not refresh cache on SA Server B.
Solution
You can fix this issue by restarting the Application server hosting UDS for SA Server B.
How to avoid transaction Auditing Failure for Master Master Replication
Problem
When I have two DBs set up in Master Master replication where Primary DSN of a Strong Authentication server is configured as Backup DSN (failover DSN) of the other Strong Authentication server with the following configuration:
- Strong Authentication Server (S1) pointing to DB 1 (Primary DB) and DB 2 (Backup DB)
- Strong Authentication Server (S2) pointing to DB 2 (Primary DB) and DB 1 (Backup DB)
- DB 1 and DB 2 are under Master Master replication
Symptom
When DB 1 goes down and S1 contacts DB 2, the transaction auditing fails with one of the following errors:
Violation of PRIMARY KEY constraint 'PK_ARWFISSUNACEAUDIT'. Cannot insert duplicate key in object 'dbo.ARWFISSUANCEAUDITLOG'Violation of PRIMARY KEY constraint 'PK_ARWFAUTHAUDIT'. Cannot insert duplicate key in object 'dbo.ARWFAUTHAUDITLOG'Violation of PRIMARY KEY constraint 'PK_ARWFADMINAUDIT'. Cannot insert duplicate key in object 'dbo. ARWFADMINAUDITLOG'
Solution
Set the ARWFSEQUENCE table under Real-Time Synchronization. Ensure that the collision handling is set per third-party documentation.
UDS Exceptions
Problem:
When I configure UDS with DataSource at the application server, I get the following exceptions:
arcot.database.DatabaseManager : Max Connections arcot.database.DatabaseManager : Min Connections arcot.database.DatabaseManager : Increment Connections General error - Configuration setup error com.arcot.database.DatabaseException
Solution:
You get these exceptions only when you configure UDS with data source. Do not configure UDS with data source.
arcot.database.DatabaseManager : Max Connections arcot.database.DatabaseManager : Min Connections arcot.database.DatabaseManager : Increment Connections General error - Configuration setup error com.arcot.database.DatabaseException: JDBC driver jar is either not available or not in the your CLASSPATH variable
CA Mobile OTP Expiry Issue
Problem:
For
Advanced Authentication
8.1.3 or above, CA Mobile OTP Application currently expires for Strong Authentication Mobile OTP
Profiles
which have one year expiry setting. Solution:
To overcome this app expiry issue, rebuild your custom application with the following steps:
- Initialize SDK object and callgetAllAccounts()on SDK objectReturns array list of account object
- Get individual account form array list and update or extend the expiry by a year or required value in the following manner:
- Code snippet for Androidpublic void updateAccountExpiry(){ try { Account[] accounts = lib.getAllAccounts(); int noOfAccounts = accounts.length; int numOfYears = 10; // Number of years to extend the account from expiry from current date Calendar now = Calendar.getInstance(); for(int i = 0; i < noOfAccounts; i++){ Account tempAcc = accounts[i]; if(tempAcc.expiryTime <= now.getTimeInMillis()) { Calendar timeToSet = Calendar.getInstance(); timeToSet.add(Calendar.YEAR, numOfYears); tempAcc.expiryTime = timeToSet.getTimeInMillis(); lib.saveAccount(tempAcc); } } }catch (OTPException e) { e.printStackTrace(); } }
- Code snippet for Objective-C(iOS)(void) updateAccountExpiry { OTP *otp = [[OTP alloc] init]; NSMutableArray *accounts = [otp getAllAccounts]; NSUInteger count = accounts.count; int NumOfYears = 2; // Number of years to extend account from expiry from current date. for(int i =0; i < count; i++) { Account *acc = [accounts objectAtIndex: i]; if (!([acc.objExpiryTime compare:[NSDate date]] == NSOrderedDescending)) { NSDate *now = [NSDate date]; //extend account expiry by 1 year or multiply further for more years. acc.objExpiryTime = [now dateByAddingTimeInterval:(NumOfYears*3650 * 24 * 60 * 60)]; // Number of years for expiry time. For example, specify 3650 for 10 years acc.expiryTime=[acc.objExpiryTime timeIntervalSince1970] * 1000; [otp saveAccount:acc]; } }
- Save the changes and update your custom application in Play store or App store.
Installation error
I am unable to install CA Strong Authentication Application on RHEL 7.5 machine
Problem:
I get the following error while installing the Strong Authentication on RHEL 7.5 machine:Installer User Interface Mode Not Supported Unable to load and to prepare the installer in console or silent mode.
Solution:
This error is due to the DISPLAY environment variable. You can UNSET the DISPLAY environment variable before launching the setup. For example,
# unset DISPLAY # ./setup.bin
Unset of the DISPLAY runs the installation successfully.
Multiple Instances Get Same Transaction ID Resulting in Unique Key Violation
My transaction failed with the following unique key violation error:
Problem:
ODBC code: [AA][ODBC Oracle Wire Protocol driver][Oracle]ORA-00001: unique constraint (SAEMGR.PK_ARWFVERIFIEDCHALLENGES) violated
Solution:
This Duplicate Transaction IDs error occurs when multiple Strong Authentication instances are pointing to a single database. You can fix this primary key conflict by making the value unique.
- Append the Instance ID with Txn ID value asInstanceId:TxnIdas thecredentialIDto make the value unique.
Note that the InstanceId value is taken from the InstanceId value present in ARCOT_HOME/conf/arcotcommon.ini file. Contact Support for more information and resolution.
General Limitations
- When using Oracle or MSSQL database, if the network cable for the primary database is unplugged, the database failover takes more than 15 minutes.
- Do not install multiple instances of CA Strong Authentication or CA Risk Authentication on the same system in different folders. If you try to install multiple instances, the installation is unsuccessful.