Guest

Cisco SCE 1000 Series Service Control Engine

Field Notice: FN - 62652 - SCAS BB - PRPC Authentication Between SCA BB Console and SM/CM/SCE Does Not Work in Environments That Have an Entity/Device That Might Change IP Addresses Which is Located Between The Console and SM/CM/SCE


January 23, 2007

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Products Affected

Products Affected

Comments

SCE SCAS BB - 3.0.5

Service Control Application System

Problem Description

SCA BB Console authentication will fail when trying to connect to SCE/SM/CM if there is some entity/device which is located between the console and SM/CM/SCE which changes their IP addresses such as NAT for example. The problem occurs when Proprietary Remote Procedure Call (PRPC) security level on SM/SCE/CM is configured to semi or full.

Background

PRPC Authentication feature was introduced in 3.0.5. Starting from 3.0.5 SCA BB Console is required to provide username and password when connecting to the SCE/SM/CM via PRPC protocol. Those details are verified by the SCE/SM/CM and the connection is declined if the authentication failed.

Note:

The Service Configuration API uses the PRPC protocol as a transport for the connection to the SCE. The PRPC is a proprietary RPC protocol designed by Cisco.

Problem Symptoms

Problems connecting from SCA BB console to the SCE/SM/CM:

  1. Maximum number of connections reached error that appears in SCA BB Console. See defect CSCsh39794 (registered customers only)

  2. Error in SCA BB console when applying/retrieving configuration is

    Failed to extract info: socket closed
    
  3. Error messages in the SM/CM/SCE log file:

    [RPC Server] ERROR com.pcube.management.common.auth.SecurityUtils - Exception occured when trying to decrypt a buffer: pad block corrupted 
    [RPC Server] ERROR com.pcube.management.framework.rpc.Server - Error occured when trying to establish a connection: 
    java.lang.NullPointerException
    

Workaround/Solution

Solution:

The fix for this issue will be available in the next SCA BB maintenance release.

Workaround:

  1. Set the security_level of the PRPC on the SM/SCE/CM to none. In this case the SCA BB Console will be allowed to connect without any authentication. Note that this functionality is different from pre-3.0.5 releases where SCA BB Console performed user authentication by itself.

    1. In order to set the security level to none on the SM:

      1. Edit ~pcube/sm/server/root/config/p3sm.cfg configuration file as follows:

        [RPC.Server] 
        security_level = none
        
      2. Use p3sm --load-config --ignore-warnings CLU in order to apply the new configuration

    2. In order to set the security level to none on the CM:

      1. Edit ~/cm/um/config/p3cm.cfg configuration file as follows:

        [RPC.Server] 
        security_level = none
        
      2. Use ~scmscm/cm/bin/cm restart CLU in order to restart the CM

    3. In order set the security level to none on the SCE use the following CLI:

      SCE2000(config)#>ip rpc-adapter security-level none
      
  2. Alternatively, remove any entity that is located between the SCA BB console and SCE/SM/CM that might change IP addresses.

In order to resolve the max connections problem:

  1. For the SM use p3sm --restart --wait CLU in order to restart the SM

  2. For the CM use ~scmscm/cm/bin/cm restart CLU in order to restart the CM

  3. For the SCE use the following CLI in order to restart the PRPC Server:

    SCE2000(config)#>no ip rpc-adapter 
    SCE2000(config)#>ip rpc-adapter
    

In case the above action fails to resolve the problem use the following CLI:

SCE2000(config)#>no service management-agent 
SCE2000(config)#>service management-agent

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCsh39763 (registered customers only)

PRPC authentication between SCA BB console and SM/CM/SCE does not work in environments that have an entity/device that might change IP addresses, such as NAT, which is located between the console and SM/CM/SCE.

Revision History

Revision

Date

Comment

1.0

23-Jan-2007

Initial Public Release

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.