Failed to process CT_KIP clientNonceRequest error when trying to import an RSA SecurID software token using CT-KIP for RSA Authentication Manager 8.x
Originally Published: 2020-04-17
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
When end users try to import an RSA SecurID software token to their device using CT-KIP, the import fails. The end user sees the following error:
Token import failed. Verify that the information entered is correct or contact your administrator.
The System Activity Monitor shows the following errors while trying to import the token:
Administrator “SYSTEM” attempted to execute command “com.rsa.authmgr.internal.ctkip.command.ProcessCTKIPClientRequestCommand”
<EJB exception occurred during invocation from home or business: com.rsa.command.CommandServerEjb30_vraifm_Intf generated exception: com.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERROR
Caused by: com.rsa.common.SystemException: com.rsa.common.SystemException: com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT_KIP clientNonceRequest com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT-KIP clientNonceRequest. Status code = Abort
Caused by: com.rsa.common.SystemException:
com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT_KIP clientNonceRequest com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT-KIP clientNonceRequest. Status code = Abort
Caused by: com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT_KIP clientNonceRequest com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT-KIP clientNonceRequest. Status code = Abort>
Cause
Resolution
- Download a new copy of your RSA Authentication Manager license from https://my.rsa.com/. Follow steps in 000038632 - Downloading RSA Authentication Manager license files or RSA Software token seed records.
Since all of the license files available on myRSA have been updated, it is a requirement to download the new license, even if you have an old copy of the license files stored locally.
- Create a Backup Using Back Up Now.
- Enable SSH on the primary RSA Authentication Manager server.
- Using WinSCP, copy the defaultRSAToolbar.cer and defaultRSAToolbar.key from the newly downloaded license to /tmp on the primary RSA Authentication Manager server.
- Launch an SSH client, such as PuTTY.
- Log in to the primary RSA Authentication Manager server as rsaadmin and enter the operating system password.
During Quick Setup another username may have been selected. Use that username to log in.
login as: rsaadmin
Using keyboard-interactive authentication.
Password:<enter operating system password>
Last login: Mon Apr 20 16:39:41 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
Using keyboard-interactive authentication.
Password:<enter operating system password>
Last login: Mon Apr 20 16:39:41 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
- Get the database password. The password string is different for each deployment of RSA Authentication Manager.
rsaadmin@primary:> /opt/rsa/am/utils/rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password> com.rsa.db.dba.password: u2Z8iMYLWmaT2hgdIdNUjBLFKiMnJw
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password> com.rsa.db.dba.password: u2Z8iMYLWmaT2hgdIdNUjBLFKiMnJw
- Capture the com.rsa.db.dba.password in the output above, then use it to access the database:
rsaadmin@primary:> /opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba: <enter the com.rsa.db.dba.password from above>
Password for user rsa_dba: <enter the com.rsa.db.dba.password from above>
- Run the following SQL statement:
DELETE FROM rsa_rep.ims_config_value WHERE name LIKE '%ctkip.service.keystore%';
- Exit the database by typing \q, then run the following commands:
rsaadmin@primary:> cd /opt/rsa/am/utils
rsaadmin@primary:> ./rsautil install-ctkip-keystore -l /tmp -k defaultRSAToolbar.key -c defaultRSAToolbar.cer
rsaadmin@primary:> ./rsautil install-ctkip-keystore -l /tmp -k defaultRSAToolbar.key -c defaultRSAToolbar.cer
- Restart the RSA Authentication Manager services:
rsaadmin@primary:> cd /opt/rsa/am/server
rsaadmin@primary:> ./rsaserv restart all
rsaadmin@primary:> ./rsaserv restart all
Related Articles
Failed to generate QR Code error when trying to activate software token using QR code in RSA Authentication Manager 8.x Se… Number of Views Error: 'Web-tier host certificate creation failed' when trying to create a web tier package Number of Views 'com.rsa.authmgr.admin.tokenmgt.ListTokensByPrincipalCommand execution' error when trying to assign a token on RSA Authent… Number of Views Server certificate validation error when trying to authenticate using the RSA Authentication Agent 2.0 for AD FS Number of Views AuthnContextValidator error when trying to authenticate using RSA Authentication Agent 2.0 for AD FS Number of Views
Trending Articles
How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle Troubleshooting AFX Connector issues in RSA Identity Governance & Lifecycle RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
