Validation Internal Error: Artifact User Session Authentication failed

Document ID : KB000110992
Last Modified Date : 14/08/2018
Show Technical Document Details
Issue:

The following error appears while searching for a job in CA Workload Control Center > Quick View or Quick Edit tabs.

CAUAJM_E_00067 Validation Internal Error: Artifact "UserSession;Version-1.0;cc9a988ee5cf78fd5c35c70185c16255-5b49eaf2-9562030-f7d" failed authentication.
E139012 Autosys error response: CAUAJM_E_00067 Validation Internal Error: Artifact "UserSession;Version-1.0;cc9a988ee5cf78fd5c35c70185c16255-5b49eaf2-9562030-f7d" failed authentication.
E131003 Error loading the job:E180010 Could not establish a connection to CA Workload Automation AE; invalid server context.

Executing the AE Command Lines through command prompt returns an error as well:

C:\Program Files (x86)\CA\Workload Automation AE>autorep -J TEST_PROD_JOB -q 
Security server unreachab/*CAUAJM_E_10436 le or invalid authentication certificate file. 
CAUAJM_E_10434 Error initiating security session. 
[EE_BADOBJECT Bad Object] 
[ISP_ERROR_NOGATEWAY igateway not running] 
[Authenticate Error: Authentication Failed] 
[Identity Attempted: ] 
[CertificateReader::loadPEM - cannot read certificate] 
CAUAJM_W_10417 Job Read Access Denied! 
CAUAJM_E_10434 Error initiating security session. 
CAUAJM_W_10440 Class: as-job Resource: PRD.TEST_PROD_JOB User: CA\aeuser Access: read 
CAUAJM_W_10442 Time: 1532598043 Delegator: None 
Cause:
EEM Server's igateway service is not running.
Resolution:
Ensure the designated EEM server for AE security is up and running. Validate the following: 
  • EEM Services: igateway and itechpoz are running. In most scenarios, the igateway service would be down. Ensure to start it.
  • EEM Web-UI portal URL login using EiamAdmin user account
  • EEM Server network communication for port 5250 from WAAE and WCC servers
Additional Information:
Other scenarios for the problem includes EEM setup in MultiWrite.
The WCC registered to work with all the nodes of the EEM setup whereas, the WAAE is pointed only to primary EEM server.
If the primary EEM server goes down or not reachable, the WCC automatically communicates with secondary EEM server.
However, the WAAE would restrict the access to all the users (Authentication would fail) as it's registered to work with primary EEM server which is not reachable.
For the EEM failover mechanism to function appropriately:
  • Ensure all the EEM servers in multi-write are up and running
  • Login to the WAAE command prompt and execute the command: autosys_secure
  • Follow the prompt, Choose the options: 
# autosys_seucre > [2] Manage CA EEM security settings > [1] Manage CA EEM server settings. > [2] Set CA EEM server location and regenerate certificate:
  • Type the CA EEM server name(s). Comma-separate between the nodes (eem01.ca.com,eem02.ca.com) when prompts.
  • Type the CA EEM administrator name followed by its password and confirm the password to see the confirmation [with the list of EEM servers]
For WCC, verify if all the EEM servers are listed in its configuration.
# ./wcc_config.sh -u ejmcommander -p ejmcommander --displayeem
Logging in as 'ejmcommander' - SUCCESS
EEM Server
Host Name: eem01.ca.com,eem02.ca.com
Admin ID: EiamAdmin
Admin PW: *****
Application ID: WCC0004
Certificate Name: wcc.pem
Certificate Key File: wcc.key
In case the wcc_config utility does not list all the nodes of the EEM servers in the same order as they are registered in AE, it is recommended to re-register the EEM servers to correct the order and regenerate certificates.

The procedures for the aforementioned are documented with details in the following article: 
https://comm.support.ca.com/kb/how-to-regenerate-eem-certificates-for-ca-workload-automation-ae-and-ca-workload-control-center/kb000009957
    The WAAE and WCC are now registered with all the nodes of EEM Multiwrite setup. There would not be a problem if EEM primary goes down. Both WAAE and WCC would work with secondary or available EEM servers in the list.